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A  FEW  HIGHLIGHTS 


Security  risks  come  in  many  forms,  from  disgruntled 

employees  to  passwords  left  on  Post-it  Notes  in  plain  view. 
This  In  Depth  report  —  the  first  in  a  monthly  series  on 
crucial  IT  topics  —  identifies  the 
dangers  you  might  overlook,  the 
technologies  that  could  protect 
your  business  and  the  kind  of 
people  you’ll  need  to  pull  your 
company  out  of  a 
tough  situation. 


1  Cyberattacks  by  insiders 

■  The  top  10  security  mistakes 

1 A  deluge  of  false  alarms  from 
intrusion-detection  systems 

1  Computer  forensics  that  in¬ 
volve  more  than  just  hackers 

See  In  Depth,  pages  33-60. 


GET  MORE  IN  DEPTH  INFO:  Dig  into  our  huge  collection  of  IT  security  articles,  research  links  and  white  papers  at  www.computerworld.com/ 
indepthsecurity.  ■  Congress  threatens  action  on  privacy  and  security.  ■  Legal  changes  may  help  protect  corporate  secrets.  ■  Is  XML  a  security  risk  or 
a  security  tool?  ■  Traps  you  can  set  for  intruders.  ■  Will  P3P  become  the  new  standard  for  privacy?  ■  How  can  you  make  PKI  practical? 


IN  DEPTHSECURITY 


PRIVACY  ACT  COSTLY  IN  FINANCE  SECTOR 


Firms  spend  millions 
to  recast  databases 


BY  LUCAS  MEARIAN 

Even  as  federal  regulators  be¬ 
gan  enforcing  the  massive  re¬ 


forms  of  the  Financial  Services 
Modernization  Act  last  week, 
companies  were  still  scram¬ 
bling  to  create  automated  sys¬ 
tems  to  ensure  their  compli¬ 
ance  with  the  new  privacy  reg¬ 
ulations. 


Also  known  as  the  Gramm- 
Leach-Bliley  Act,  the  legisla¬ 
tion  requires  financial  firms 
to  let  their  customers  opt  out, 
or  choose  not  to  let  their  per¬ 
sonal  information  be  shared 
with  outside  companies. 

Financial  firms  have  spent 
more  than  $400  million  compil¬ 
ing  privacy  policies  and  identi¬ 
fying  partners  and  third  parties 
with  whom  they  share  data,  ac¬ 
cording  to  Needham,  Mass.- 
based  TowerGroup.  The  total 
cost  of  compliance  with  the 
new  legislation  could  swell  to 
three  times  that  figure  and 
could  skyrocket  to  Y2k  spend¬ 
ing  proportions  if  Congress 
Privacy,  page  69 


MICROSOFT  CASE 
MAY  YIELD  CHOICE 


Some  apps  could  be 
separated  from  OS 

BY  PATRICK  THIBODEAU 

WASHINGTON 

The  recent  U.S.  Court  of  Ap¬ 
peals  decision  in  the  Microsoft 
antitrust  case  could 
ultimately  give  cor¬ 
porate  end  users  the 
ability  to  pick  and 
choose  among  some  Windows 
applications  that  the  company 
plans  to  integrate  with  future 


ANTITRUST 


versions  of  the  operating  sys¬ 
tem,  say  some  legal  and  indus¬ 
try  analysts. 

“Just  think  about  the  extent 
to  which  future  Microsoft 
planning  includes  writing  soft¬ 
ware  code  for  collaborative  ap¬ 
plications  into  the  Windows 
[operating  system]  itself,”  said 
Herb  Hovenkamp,  an  antitrust 
expert  and  law  professor  at  the 
University  of  Iowa  in  Iowa 
City.  “I  think  Microsoft  is  going 
to  have  to  rethink  that 
whole  strategy.” 

The  case  is  still  un¬ 
settled,  and  its  ulti¬ 
mate  impact,  if  any,  on  Micro¬ 
soft  Corp.’s  operating  system 
Microsoft,  page  69 
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HELLO  TOMORROW 


Introducing  New  Unicenter 

Conventional  enterprise  management  has  become  nothing  more  than 
a  relic  in  the  world  of  eBusiness.  Why?  Because  it  just  doesn't  provide 
what  the  current  marketplace  demands— flexibility.  That's  why  we've 
completely  reinvented  our  approach  to  enterprise  management  with  new 
Unicenter.  This  revolutionary  range  of  solutions  for  managing  eBusiness 
infrastructure  lets  you  choose  only  the  components  you  need,  just  when 
you  need  them.  But  because  it's  still  Unicenter,  you  can  rest  assured 
that  individual  elements  will  work  together  seamlessly.  So  you  can  build 
end-to-end  infrastructure  management  solutions  for  your  entire  business 
at  your  own  pace.  And  that's  an  idea  whose  time  has  come. 


Computer  Associates™ 


WE  ARE  COMPUTER  ASSOCIATES  THE  SOFTWARE  THAT  MANAGES  eBUSINESS  M 


ca.com/unicenter 


©2001  Computer  Associates  International,  Inc.  (CAi.  All  trademarks,  trade  names,  service  marks,  and  logos  referenced  herein  belong  to  their  respective  companies. 


TRY  30  MIN  UTES. 

COMPAQ  TASKSMART  N-SERIES  APPLIANCE  SERVER 

When  it  comes  to  expanding  your  storage  capacity,  there’s  no  room  for 
downtime.  With  Compaq  TaskSmart ™  NAS  appliances,  you  can  get  immediate 
relief  without  having  to  build  a  new  storage  infrastructure.  Compaq  appliances 
are  ready  to  perform  right  out  of  the  box  (literally  30  minutes)  and  have  the 
flexibility  to  grow  as  your  business  grows.  So  if  losing  valuable  time  for  your 
employees  and  customers  just  isn’t  an  option,  visit  compaq.com/tasksmart. 


INNOVATIVE  PRODUCTS, 
INTEGRATED  INTO  SOLUTIONS  & 
DELIVERED  GLOBALLY 


] 


Call  1-800-AT-COMPAQ  for  your  nearest 
reseller  and  mention  code  “NBX.” 

Or  visit  compaq.com/tasksmart. 


©2001  Compaq  Computer  Corporation.  All  rights  reserved.  Compaq  and  the  Compaq  logo  are  registered  trademarks  of  Compaq  Computer  Corporation.  Inspiration  Technology  and  TaskSmart  are  trademarks  of  Compaq 
Information  Technologies  Croup.  L.P.  in  the  U.S.  and  other  countries.  M0130A 
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NEWS 

6  Eli  Lilly  reveals  e-mail  address¬ 
es  on  drug  reminder  list;  the  ACLU 
complains  of  privacy  violation. 

8  Nasdaq  to  launch  order  service 
this  week,  raising  volume  on  a  net¬ 
work  that  crashed  in  June. 

10  Threat  database  targets  real 

points  of  attack,  not  just  vulnera¬ 
bilities  hackers  don’t  exploit. 

12  CA  sues,  cuts  bonuses  to 

resist  an  executive  coup  attempt 
aimed  at  breaking  up  the  company. 

14  Non-IT  products  phone  home, 
using  an  IBM  system  with  remote 
diagnostics  and  notification  to 
make  service  faster,  more  efficient. 

22  Security  stocks  drop  as  cor¬ 
porate  spending  cuts  that  hurt  the 
tech  market  finally  reach  them. 


Opinions 

Maryfran  Johnson  24 

Pimm  Fox  24 

David  Foote  25 

Fred  Wiersema  28 

Michael  Gartenberg  28 


ONLINE 

Dear  Career  Adviser 

Columnist  Fran  Quittel  answers 
readers’  questions  about  job  oppor¬ 
tunities  and  surviving  a  merger. 

www.computerworld.com/careers 

House  Majority  Leader 


IN  DEPTHSECOIIW 

33  Risk  &  Reward 

Sure,  e-commerce  is  risky.  But  hack¬ 
ers  aren’t  the  only  thing  to  worry 
about,  and  firewalls  aren’t  the  only 
way  to  protect  online  transactions 
enough  to  build  the  Web  into  a  sol¬ 
id,  profitable  business  medium. 

The  first  in  Computer  world’s  new, 
monthly  In  Depth  series  examines 
the  risks  and  the  rewards  of  e-com¬ 
merce,  and  how  to  minimize  one 
while  maximizing  the  other. 

34  The  Enemy  Within 

Sometimes  the  greatest  threat 

comes  from 
the  enemy 
in  your  of¬ 
fice,  not  the 
one  at  the 
gate.  But 
there  are 
ways  to 
defuse  even 
the  worst 
potential 
offenders. 

36  The  Threat  of  XML 

XML  is  so  popular  and  such  an  obvi¬ 
ous  way  to  make  difficult  data  con¬ 
nections  that  few  suspect  that  it  may 
be  as  dangerous  as  it  is  valuable. 

ONLINE:  Even  so,  XML  will  be¬ 
come  much  more  secure  —  if  au- 
|  thentication  and  certificate  proto- 
s  cols  are  ever  accepted. 

<  www.computerworld.com/indepthsecurity 

to 

I  38  Top  10  Security 
I  Mistakes 


40  Playing 
By  Europe's 
Rules 

The  European 
Union  just 
signed  a  treaty 
standardizing 
cybercrime  laws 
across  the  conti¬ 
nent,  and  it  won’t 
take  long  for  U.S. 
companies  to 
feel  its  effect. 

ONLINE:  Read  more  about  the 
treaty  and  what  Europeans  are 
saying  about  it  and  the  U.S. 

www.computerworld.com/securitylinks 

42  False  Alarm 

Intrusion-detection  tools  have  got¬ 
ten  a  lot  better,  but  sorting  out  major 
attacks  from  false  alarms  is  still  a  big 
problem. 

ONLINE:  Tips  to  help  you  decide 
when  it  makes  sense  to  outsource 
intrusion  detection. 

www.computerworld.com/indepthsecurity 

44  Deadly  Pursuit 

Not  all  online  crime  detection  is  vir¬ 
tual.  Meet  a  forensics  expert  who 
uses  computers  to  track  murderers, 
not  just  computer  criminals. 


Attacks  HIPAA 

House  Majority  Leader  Dick 
Armey  recently  criticized  parts  of 
the  HIPAA  regulations  and  their  ^ 
impact  security  and  privacy  ^ 
issues.  Read  his  full  letter  to  ^ 
Health  and  Human  Resources 
Secretary  Tommy  Thompson  at  ^ 
www.computerworid.com/security. 

MOREONLINE  For  breaking  news  -  updated 

twice  daily,  at  noon  and  5  p.m.  -  visit  our  Web  site. 

www.computerwoiid.com/latestnews 


< 

s  Some  precautions  aren’t  that  com- 
d  plicated,  but  fixing  simple  problems 
vUAJi;  is  harder  than  you  think. 


ONLINE 


Capitol  Crunch 


Dozens  of  bills  are  mak¬ 
ing  their  way  through 
f  yj'y  ^  '  Congress  to  change  the 

way  IT  handles  privacy,  spam 
and  a  raft  of  other  issues.  See 
which  ones  are  most  likely  to 
pass,  www.computerworld.com/ 
indepthsecurity 


ONLINE:  How  to  launch  a  com¬ 
puter  forensics  career. 

www.computerworld.com/indepthsecurity 
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Private  Investigation? 

Companies  that  share  private  IT 
data  with  the  feds  risk  having  it  re¬ 
leased  to  the  public.  Some  are  trying 
to  change  the  Freedom  of  Informa¬ 
tion  Act  to  protect  IT  while  still 
cooperating  to  nail  the  bad  guys. 
www.computerworld.com/ 
indepthsecurity 


48  Unlocking  Secure 
Online  Commerce 

Public-key  networks  have  been  so 
hard  to  set  up  that  few  users  have 
bothered.  But  that  may  change  as 
PKI’s  value  becomes  clearer. 

ONLINE:  Research  how  to  build 
a  PKI  network,  and  which  tools  to 
use  and  why. 

www.computerworld.com/securitylinks 

52  Giving  Users 
Back  Their  Privacy 

The  P3P  protocol  may  not  make 
Web  surfing  really  private,  but  it 
can  give  customers  more  control 
—  and  create  headaches  for  you. 


58  Snapshot 

Stats  and  graphs  on  how  danger¬ 
ous  bad  security  can  be. 


Also  In  Depth . . . 

46  Security  Manager’s  Journal 

Vince  turns  detective  to  track 
down  users  who  step  over  the  line. 

54  Joe  Auer  warns  that  mistakes 
on  security  contracts  can  leave 
end  users  unprotected  —  at  just 
the  wrong  time. 

56  Emerging  Companies 

Finjan’s  software  is  designed  to 
find  malicious  code,  not  just  pre¬ 
defined  viruses. 


Picking  Your  Targets 

Even  the  most  activist  IT  oper¬ 
ation  has  to  decide  where  to 
put  its  attention;  here’s  a  run- 
dowm  of  what  the  government 
is  up  to  that  may  affect  you. 
www.computerworld.com/ 
indepthsecurity 
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Shell,  IBM  Ink  S100M 
E-Business  Apps  Deal 


In  a  cost-cutting  bid.  The  Hague- 
based  Royal  Dutch/Shell  Group 
will  set  up  three  worldwide  hubs  to 
standardize  and  consolidate  its 
global  IT  applications  infrastructure. 
The  three  data  centers,  to  be  locat¬ 
ed  in  Houston,  The  Hague  and  Kuala 
Lumpur,  Malaysia,  will  provide  the 
core  infrastructure  for  Shell’s  range 
of  enterprise  resource  planning  and 
e-commerce  applications.  Shell 
chose  IBM  as  the  prime  hardware 
provider  for  the  centers  under  a 
five-year,  SIOO  million  agreement. 
IBM  will  supply  eServer  systems, 
enterprise  storage  servers  and 
technical  support  and  services. 


Ditmore  Surfaces 
At  Bank  One 

James  Ditmore,  former  CIO  at 
Omaha-based  Ameritrade  Holding 
Corp.,  has  landed  a  job  as  Bank  One 
Corp.’s  chief  technology  officer  for 
infrastructure  and  operations.  The 
Chicago-based  bank  announced 
last  week  that  the  41-year-old  IT 
veteran  will  join  the  company  on 
July  16  to  oversee  service  levels  for 
systems  availability  and  operations 
and  define  the  company’s  technol¬ 
ogy  architecture  and  standards. 
Ditmore  will  also  be  responsible  for 
network,  enterprise  computing  and 
desktop/mobile  platforms. 


Short  Takes 

CHINA  NATIONAL  COMPUTER 
SOFTWARE  AND  TECHNOLOGY 
SERVICE  CORP.  will  build  a  software 
and  hardware  encryption  module  for 
MICROSOFT  CORP.’S  Windows  XP 
Professional  Chinese  edition. . . . 
Schaumburg,  lll.-based  MOTOROLA 
INC.  has  agreed  to  sell  its  Multiser¬ 
vice  Networks  Division  to  PLAT¬ 
INUM  EQUITY  in  Los  Angeles. . . . 
RADIOSHACK  CORP.  in  Fort  Worth, 
Texas,  has  agreed  to  purchase 
Microsoft’s  25%  minority  interest 
in  RadioShack.com  LLC  for  S88 
million  in  cash.  The  move  gives 
RadioShack  100%  ownership  of 
RadioShack.com. 


Vendor  Sues  User  in 
‘Man  Bites  Dog’  Case 


Analysts  say  slow  economy  may  spur  more 
cases  like  that  involving  CSC  and  Saks 


BY  JULEKHA  DASH 

echnology  con¬ 
sulting  firm  Com¬ 
puter  Sciences  Corp. 
(CSC)  has  filed  a 
lawsuit  against  re¬ 
tailer  Saks  Inc.  accusing  it  of 
misappropriating  trade  secrets 
and  violating  the  terms  of  an 
IT  services  contract  signed  by 
the  two  companies  early  last 
year. 

Analysts  described  the  suit, 
which  was  filed  June  18  in  U.S. 
District  Court  for  the  Northern 
District  of  Georgia,  as  atypical, 
since  users  are  usually  the  ones 
that  initiate  litigation  against 
vendors  when  contract  dis¬ 
putes  arise.  But  such  battles 
may  become  more  common¬ 
place  as  both  vendors  and  users 
face  growing  financial  and 
competitive  pressure  in  today’s 
slowing  economy,  according  to 
at  least  one  analyst. 

“This  is  a  case  of  man  bites 
dog.  It’s  an  oddity,”  said  Tom 
Rodenhauser,  president  of  Con¬ 
sulting  Information  Services 
LLC  in  Keene,  N.H.  “You  don’t 
sue  [a  client]  unless  you’ve 
given  up  forever  on  them.” 

Neither  El  Segundo,  Calif.- 
based  CSC  nor  Saks,  a  Birm¬ 
ingham,  Ala.-based  company 
that  operates  Saks  Fifth  Av- 


See  You  in  Court 

CSC’s  lawsuit  alleges  that: 

►  CSC  performed  an  analysis 
of  Saks’  contracts  with  tele¬ 
com  providers,  but  Saks 
used  the  information  to 
negotiate  agreements  on 
its  own. 

►  Saks  used  improper  means 
to  acquire  confidential 
information  from  CSC. 

►  Saks  owes  CSC  about  $1.5 

million  plus  attorneys’  fees. 


enue  and  other  department 
store  chains,  would  comment 
on  the  case,  though  both  com¬ 
panies  acknowledged  that  the 
suit  had  been  filed. 

According  to  a  statement 
CSC  filed  with  the  court,  Saks 
agreed  in  January  2000  to  let 
the  consulting  firm  take  over 
its  contract  negotiations  with 
telecommunications  suppliers 
and  computer  software  and 


Site’s  prescription 
reminder  reveals 
names  of  recipients 

BY  JULEKHA  DASH 

Pharmaceutical  firm  Eli  Lilly 
and  Co.  inadvertently  divulged 
the  e-mail  addresses  of  600  pa¬ 
tients  to  one  another  due  to  a 
computer  programming  error 
revealed  last  week.  The  inci¬ 
dent  sparked  an  outcry  from 
the  American  Civil  Liberties 
Union  for  the  breach  of  priva¬ 
cy,  and  analysts  noted  it’s  the 
kind  of  event  that  will  violate 
pending  health  care  rules. 

The  incident  occurred  when 
the  drug  maker  sent  an  elec¬ 
tronic  message  to  its  regis¬ 
tered  Web  site  users  to  notify 
them  that  the  site’s  “reminder” 
feature,  which  alerts  them  to 
take  their  medication,  would 
be  discontinued  due  to  a  re¬ 
design.  Instead  of  each  mes¬ 
sage  being  sent  individually, 
the  system  sent  one  e-mail, 
whose  “to”  field  revealed  the 
complete  e-mail  addresses  of 
about  600  patients,  according 
to  Eli  Lilly  spokeswoman 


hardware  vendors.  The  move 
was  expected  to  save  the  retail¬ 
er  about  $2  million  in  annual 
costs,  CSC  claimed. 

CSC  reviewed  Saks’  tele¬ 
communications  contracts  to 
see  what  kind  of  savings  the 
retailer  could  get  by  purchas¬ 
ing  the  services  through  agree¬ 
ments  the  consulting  firm  has 
with  the  suppliers,  the  suit 
said.  But  CSC  alleged  that  Saks 
used  the  confidential  infor¬ 
mation  “as  bargaining  tools  in 
[its]  own  negotiations  with 
telecommunication  service 
providers.” 


Anne  Griffin.  Indianapolis- 
based  Eli  Lilly  makes  the  anti¬ 
depressant  drug  Prozac  and 
other  drugs. 

The  affected  patients  were 
those  who  had  signed  up  for 
the  e-mail  reminder  service. 
Griffin  described  the  mistake 
as  an  “isolated  event”  and  the 
result  of  a  programming  error. 

To  prevent  other  such  inci¬ 
dents,  Eli  Lilly  is  preparing  a 
code  audit  review  and  is 
“working  on  a  program  that 
would  block  all  outbound 
e-mails  with  more  than  one  ad¬ 
dress,”  said  Griffin. 

The  company  is  also  talking 
to  its  employees  about  the  im¬ 
portance  of  protecting  patient 
privacy,  she  said. 

Analysts  said  the  error  vio¬ 
lates  the  pending  Health  Insur¬ 
ance  Portability  and  Account¬ 
ability  Act  (HIPAA),  which, 
among  other  things,  stipulates 
that  health  care  organizations 
must  establish  policies  and 
procedures  to  protect  patient 
privacy.  But  the  drug  maker 
won’t  face  any  HIPAA  penal¬ 
ties  because  organizations 
have  until  April  2003  to  com¬ 
ply  with  the  rules. 


ACLU  Knocks  Eli  Lilly  for 
Divulging  E-Mail  Addresses 


As  part  of  the  suit,  CSC  is 
seeking  compensatory  and 
punitive  damages  plus  attor¬ 
neys’  fees  from  Saks.  Although 
the  consulting  firm  didn’t 
specify  the  amount  of  dam¬ 
ages  it’s  requesting,  the  suit 
claims  that  Saks  owes  CSC 
nearly  $1.5  million  plus  interest 
for  its  services. 

Contract  disputes  like  this 
one  may  become  more  com¬ 
monplace,  said  analyst  Alden 
Cushman  at  Kennedy  Informa¬ 
tion  Inc.  in  Fitzwilliam,  N.H. 

As  a  result  of  the  dot-com 
collapse  and  the  slowdown  in 
the  economy  and  IT  spend¬ 
ing,  some  clients  may  be 
finding  ways  to  save  money  on 
IT  instead  of  leaving  the  work 
to  a  consulting  firm,  which 
could  result  in  possible  misun¬ 
derstandings,  Cushman  said.  • 


E-Mail  Error 


Eli  Lilly  says  a  programming 
error  led  to  mishap. 
►Patients  had  signed  up  for 
e-mail  reminders  to  take  a 
prescription  drug  or  for 
other  health  matters.  About 
600  patient  addresses  were 

identified  in  a  mass  e-mail. 

. 

►The  ACLU  has  asked  the 
FTC  to  investigate  the  error 

for  possible  consumer  pri¬ 
vacy  violations. 


The  company’s  mistake  came 
under  fire  from  the  New  York- 
based  ACLU,  however.  In  a  let¬ 
ter,  the  ACLU  asked  the  Federal 
Trade  Commission  (FTC)  to  in¬ 
vestigate  Eli  Lilly  for  consumer 
privacy  violations. 

“If  this  breach  of  duty  goes 
unnoticed,  it  could  raise  the 
possibility  not  only  that  Eli 
Lilly  will  continue  to  injure 
consumers  and  harm  the  public 
interest,  but  that  other  com¬ 
panies  will  be  encouraged  to 
engage  in  similarly  unfair  and 
deceptive  practices,”  wrote 
Barry  Steinhardt,  ACLU  associ¬ 
ate  director,  and  Christopher 
Chiu,  Internet  policy  analyst. 

During  the  next  two  years, 
health  care  organizations  will 
have  to  review  the  way  they 
communicate  health  informa¬ 
tion  with  patients  to  comply 
with  HIPAA. » 
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Mitsubishi  to  Consolidate  700  Networks  Using  Provider 

Hopes  investment  in  and  move  to  ANX 
hub  will  improve,  lower  cost  of  service 


BY  LEE  COPELAND  GLADWIN 

Imagine  operating  seven  in¬ 
dustrial-grade  private  net¬ 
works  and  point-to-point 
bandwidth  connections  world¬ 
wide.  Multiply  that  number  by 
100,  and  you  will  understand 
the  IT  challenge  facing  Mit¬ 
subishi  Corp. 

To  consolidate  its  sprawling 
network  morass,  Tokyo-based 
Mitsubishi  this  week  plans  to 
take  a  20%  equity  stake  in  net¬ 
working  provider  ANXeBusi- 
ness  Corp.  and  make  ANX  its 
primary  networking  hub.  It’s 
also  a  deal  that  analysts  and 
users  say  will  fuel  a  long-await¬ 
ed  expansion  of  Southfield, 
Mich.-based  ANX’s  services 
into  the  Pacific  Rim. 

“We  have  a  huge  EDI  [elec¬ 
tronic  data  interchange]  net¬ 
work  of  700  different  net¬ 
works,  and  it’s  really  a 
headache  and  difficult  to  man¬ 
age  and  to  maintain  security 
levels  across  the  networks,” 
said  Junji  Inoue,  senior  vice 
president  of  e-commerce  at 
Mitsubishi,  which  posted  $124 
billion  in  revenue  last  year.  In¬ 
oue  said  he  expects  that  using 
ANX’s  network  will  both  re¬ 
duce  costs  and  provide  better 
data  communications  between 
its  diverse  subsidiaries  —  for 
example,  in  the  petroleum, 
chemical  and  consumer  elec¬ 
tronics  industries  —  and  their 
numerous  suppliers. 

Financial  terms  of  the  deal 
weren’t  disclosed.  Mitsubishi 
plans  to  implement  ANX  at  its 
corporate  headquarters  and  its 
650  international  subsidiaries 
whenever  possible.  It  will  also 
conduct  a  feasibility  study  this 
summer  on  how  to  market  the 
service  to  its  trading  partners, 
Inoue  said. 

“We’re  in  a  good  position  to 
expand  the  ANX  service  to 
other  industries  other  than 
automotive,”  said  Inoue. 

With  bandwidth  rates  of  1.5M 
bit/sec.  and  higher,  ANX  allows 
its  customers  to  exchange  com¬ 
puter-aided  design  files,  en¬ 


crypted  messages  and  EDI 
transactions  to  internal  facili¬ 
ties  and  external  suppliers  and 
partners,  said  Erik  Naugle,  chief 
technology  officer  at  ANX. 

“ANX  is  already  the  de  facto 
standard  for  any  company  in 
the  automotive  industry,”  said 
Zeus  Kerravala,  an  analyst  at 
The  Yankee  Group  in  Boston. 
“This  cash  will  help  them  ex¬ 
pand  globally  and  will  solidify 
their  position  as  a  premier  net¬ 
working  company.” 

The  Automotive  Industry 


Banks,  retailers 
begin  installation 
of  payment  tech 


BY  LUCAS  MEARIAN 

Teaming  up  with  more  than  60 
technology  vendors,  Visa  In¬ 
ternational  Inc.  has  rolled  out  a 
new  technical  specification  to 
support  payment  authentica¬ 
tion  services  for  online  credit 
card  transactions  worldwide. 

Foster  City,  Calif.-based  Visa 
International’s  new  3-D  Secure 
1.0  specification  puts  a  global 
spin  on  payment  authentica¬ 
tion  capabilities  that  Visa’s 
U.S.  operations  detailed  in 
May.  But  at  least  one  industry 
analyst  criticized  Visa’s  speci¬ 
fication,  saying  that  it  and  oth¬ 
ers  like  it  used  technology  that 
was  “lying  around  the  shop” 
and  that  it  could  be  a  lot 
smarter. 

Front-End  Limitations 

The  technology  lets  con¬ 
sumers  buying  items  online 
authenticate  their  identities 
with  passwords  or  personal 
identification  numbers  through 
windows  that  pop  up  after 
their  credit  card  numbers  are 
entered. 

Cardholders  can  use  tradi- 


Action  Group  (AIAG),  a  trade 
association  of  automakers  and 
suppliers,  launched  ANX  in 
1997  to  provide  a  central  point 
of  connectivity  to  the  major 
automakers  and  their  suppliers 
in  the  U.S.  and  Canada.  The 
Southfield,  Mich.-based  orga¬ 
nization  attracted  280  auto¬ 
motive  customers  but  couldn’t 
fund  or  manage  expansion  into 
other  vertical  industries,  Eu¬ 
rope  and  Japan.  So  in  De¬ 
cember  1999,  the  AIAG  sold 
ANX  to  San  Diego-based  Sci¬ 
ence  Applications  Internation¬ 
al  Corp.  to  meet  its  growth 
goals,  according  to  a  former 
AIAG  official  and  ANX. 

Since  then,  ANX  has 


tional  Visa  cards  or  smart  cards 
at  the  electronic  storefront.  But 
that’s  where  the  smart-card 
technology  stops  —  at  the  front 
end.  Analysts  said  the  system 
could  go  further  by  allowing 
card-issuing  banks  to  tie  that 
information  into  relational 
databases  that  could,  for  exam¬ 
ple,  add  frequent-flier  miles 
based  on  a  rewards  program  to 
the  card’s  memory. 

“I  wish  that  [Visa  and  Mas¬ 
terCard]  and  American  Ex¬ 
press  and  Discover  would  take 
chips  seriously  and  use  it  for 
the  security  it  offers,”  said 
Theodore  Iacobuzio,  an  analyst 
at  Needham,  Mass.-based  re¬ 
search  and  consulting  firm 
TowerGroup. 

IT  managers  at  hundreds  of 
banks  and  retailers  will  now  be 


widened  its  focus  to  other  ver¬ 
ticals,  such  as  financial  ser¬ 
vices  and  health  care,  said 
Naugle.  The  customer  roster 
now  includes  about  850  com¬ 
panies,  he  said. 

The  Mitsubishi  deal  suits 
ANX  customers  such  as  Dofas- 
co  Inc.,  a  $2  billion  manufac¬ 
turing  company  that  produces 
steel  for  the  construction, 
packaging  and  automotive  in¬ 
dustries. 

“[This  deal  is]  very  promis¬ 
ing  because  it  could  help  de¬ 
velop  ANX  deployments  in 
Asia  Pacific,”  said  Doug 
Buchanan,  business  technolo¬ 
gy  manager  at  the  Hamilton, 
Ontario-based  company.  He 


faced  with  installing  the  new 
specification  during  the  next 
18  months. 

Tickets.com  Inc.  in  Costa 
Mesa,  Calif.,  decided  to  jump  on 
board  Visa’s  new  authentica¬ 
tion  network  because  the  com¬ 
pany  believes  the  specification 
gives  customers  better  security 
than  chief  competitor  and  mar¬ 
ket  leader  Ticketmaster. 

“When  you  talk  to  cus¬ 
tomers  about  their  biggest  con¬ 
cern  over  conducting  transac¬ 
tions  on  the  Internet,  security 
comes  out  as  their  No.  1  major 
concern,”  said  Andy  Donkin, 
president  of  Tickets.com’s  In¬ 
ternet  ticketing  group. 

Mark  Redding,  vice  president 
of  Web  development  at  Tick- 
ets.com,  said  he  spent  two 
weeks  configuring  his  Web 


Network  Deal 

Mitsubishi  has  ambitious  plans 
for  ANXeBusiness. 

■  Mitsubishi  plans  to  announce  a  20% 
equity  investment  in  ANX. 

■  The  $124  billion  conglomerate  will  use 
ANX  to  consolidate  its  700  private  nets. 

■  Mitsubishi  plans  to  build  out  ANX's 
existing  network  infrastructure  to  support 
operations  in  the  Pacific  Rim. 

said  Dofasco’s  EDI  costs  have 
been  cut  in  half  because  ANX 
charges  a  flat  fee  to  customers, 
as  opposed  to  other  bandwidth 
suppliers  that  charge  based  on 
the  volume  of  transactions. 
Further  expansion  could  cut 
costs  even  more,  Buchanan 
said.  > 


servers  for  the  new  specifica¬ 
tion  and  had  a  “few  issues”  with 
that  end  of  the  implementation. 
But,  he  added,  “the  coding  liter¬ 
ally  took  less  than  a  week.” 

Oliver  Althoff,  a  spokesman 
for  Fleet  Credit  Services  in 
Boston,  said  the  installation 
difficulties  on  the  back  end 
depend  entirely  on  a  financial 
service  company’s  existing 
network.  For  Fleet,  which  has  a 
robust  customer  service  net¬ 
work,  it  was  an  eight-month 
process  that  included  adding 
Web  servers  both  on-  and  off¬ 
site  for  redundancy  and  back¬ 
up  capability. 

“We  had  some  significant 
expenses  around  the  smart- 
card  technology,  but  we  had  a 
robust  servicing  platform  that 
we  were  able  to  piggyback  on,” 
Althoff  said. 

Randi  Purchia,  an  analyst  at 
AMR  Research  Inc.  in  Cam¬ 
bridge,  Mass.,  agreed  with 
Iacobuzio  that  the  technology 
Visa  is  using  is  nothing  new. 
Merchants  will  be  quick  to 
adopt  it  because  verifying  the 
cardholder’s  identity  promises 
to  cut  in  half  the  number  of 
chargebacks,  or  failed  pur¬ 
chase  attempts,  they  currently 
experience,  Purchia  said. 

“I’d  agree  that  the  smart- 
card  solution  is  the  place 
where  this  is  all  heading,” 
Purchia  said.  “It’s  just  not 
moving  as  fast  as  we  would 
hope.”  I 


Giving  Credit  Where  It’s  Due 

A  sampling  of  vendors  that  contributed  to  Visa  International's 
authenticated  payment  system: 


►Accenture 

►iPrivacy 

►  SkyGo 

►  Cap  Gemini 

►  Microsoft 

►Sonera  SmartTrust 

Ernst  &  Young 

►  Motorola 

►  Sun  Microsystems 

►  Ericsson 

►  Oasis  Technology 

►Toshiba 

►  Go  Software 

►  Oracle 

►  Unisys 

►  IBM 

;  ►SchlumbergerSema 

Visa  Offers  Security  Spec  for  E-Transactions 
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Nasdaq  Launches 
Revised  Order  System 

Testing  problems  rouse  concerns  with  users 


BY  LUCAS  MEARIAN 

S  THE  NASDAQ 
stock  market  pre¬ 
pared  last  week 
for  today’s  launch 
of  its  revised  ver¬ 
sion  of  the  Small  Order  Execu¬ 
tion  System  (SOES),  analysts 
said  problems  revealed  in  trial 
runs  are  making  electronic 
communications  network 
(ECN)  companies  hesitant  to 
use  the  expanded  messaging 
network. 

Nasdaq  shut  down  for  an 
hour  June  29,  after  a  technical 
snafu  led  to  a  slowdown  of  its 
SOES  and  SelectNet  quote- 
update  networks. 

It’s  that  kind  of  mistake  that 
has  sparked  skepticism  over 
the  new  SuperSOES  service, 
according  to  Damon  Kovelsky, 
an  analyst  at  Meridien  Re¬ 
search  Inc.  in  Newton,  Mass. 
Declining  to  comment  on 
specifics,  Kovelsky  said  Nas¬ 
daq’s  test  of  its  SuperSOES 
network  has  revealed  some 
“serious  problems  ...  all  of  a 
technological  nature.” 

In  a  statement  last  week, 
Washington-based  Nasdaq 
Stock  Market  Inc.  said,  “Cur¬ 
rently,  all  systems  seem  pre¬ 
pared,  and  the  launch  date  is 
firm.  However,  Nasdaq  will  not 
implement  SuperSOES  if  we 
are  not  confident  our  system  is 
ready.  We  are  retaining  the 
legacy  system,  so  it  will  be  pos¬ 
sible  to  revert  to  the  old  plat¬ 
form.” 

SuperSOES,  which  will  op¬ 
erate  during  normal  market 
hours  only,  will  increase  the 
number  of  trades  in  one  trans¬ 
action  a  thousandfold,  from 
the  current  999  to  999,999.  Se¬ 
lectNet  is  currently  used  for  all 
large  trade  orders. 

The  first  pilot  of  the  Super¬ 
SOES  system  will  launch  today 
and  will  include  20  securities 
—  18  Nasdaq  National  Market 
securities  and  two  test  stocks. 


The  full  implementation  of  Su¬ 
perSOES  will  begin  July  30  and 
will  include  all  Nasdaq  Nation¬ 
al  Market  securities. 

The  hope,  said  analysts,  is 
that  the  new  communications 
network  will  eventually  make 
SelectNet  obsolete.  That  sys¬ 
tem  is  clunky  and  slow  and  has 
been  troubled  by  outages,  they 
said.  “It’s  the  Nasdaq  platform 
ECNs  love  to  hate,”  said  Kovel¬ 
sky.  ECNs  are  private  trading 
networks  that  let  people  con¬ 
duct  stock  transactions  with¬ 
out  going  through  Nasdaq 
market  makers  such  as  Gold¬ 
man,  Sachs  &  Co.  in  New  York. 


Says  subscribers 
will  stay  connected 

BY  LINDA  ROSENCRANCE 

Wireless  Internet  access  pro¬ 
vider  Metricom  Inc.  filed  for 
bankruptcy  protection  last 
week  but  said  it  plans  to  keep 
subscribers  to  its  Ricochet  ser¬ 
vice  connected  during  reorga¬ 
nization. 

Metricom  filed  a  petition  for 
reorganization  under  Chapter 
11  of  the  U.S.  Bankruptcy  Code 
in  San  Jose,  where  the  compa¬ 
ny  is  based.  Under  Chapter  11 
protection,  Metricom  plans  to 
“restructure  its  operations  and 
debt  obligations  while  main¬ 
taining  its  wireless  network 
and  continuing  to  provide  ser¬ 
vice  to  customers  and  resellers 
in  the  15  metropolitan  areas  it 
serves,”  the  company  said  in  a 
statement. 

“They  could  never  find  a 
place  in  their  network  where 
there  was  a  high  volume  of 
traffic  and  [where]  the  econo¬ 
my  played  in  their  favor,”  said 


But  the  ECN  companies 
seem  skeptical  that  Super¬ 
SOES  is  the  answer. 

Margaret  Nagle,  a  spokes¬ 
woman  at  Archipelago  Hold¬ 
ings  LLC,  an  ECN  in  Chicago, 
said  the  firm  won’t  use  Super¬ 
SOES  as  its  automatic  order- 
execution  engine  in  the  imme¬ 
diate  future  because  Archipel¬ 
ago  already  has  its  own. 

Nagle  said  Archipelago  has 
tested  the  SuperSOES  system 
with  Nasdaq  over  the  past  few 
weekends  and  hasn’t  seen  any 
problems.  “But  things  operate 
differently  in  test  environ¬ 
ments  than  when  you’re  live,” 
she  said.  “We  don’t  know  yet 
how  quickly  quotes  will  be  up¬ 
dated  in  this  new  system.  We 


Ken  Dulaney,  an  analyst  at 
Gartner  Inc.  in  Stamford,  Conn. 

The  company  said  it  had 
40,900  subscribers  at  the  end 
of  March.  Metricom  charges 
up  to  $79  per  month  for  unlim¬ 
ited  airtime  but  offers  volume 
discounts  to  $59  per  month  for 
organizations  with  more  than 
20  accounts. 

Ricochet  subscriber  Alan 
Foster,  vice  president 
for  government  and 
community  affairs  at 
Sanyo  North  Ameri¬ 
ca  Corp.  in  San 
Diego,  said  that  al¬ 
though  he  likes  the 
Ricochet  service,  the 
price  is  somewhat  prohibitive, 
especially  since  it’s  offered  in  a 
very  limited  market. 

Foster  said  he’s  concerned 
about  Metricom’s  bankruptcy 
filing.  Ricochet  works  well  in 
the  cities  where  it’s  offered, 
“but  because  it’s  so  expensive, 
I  couldn’t  really  get  enough 
people  to  buy  into  it.  I  talked  to 
a  lot  of  people,  and  they  said 
it’s  not  offered  everywhere 
they  travel,”  he  said.  “Maybe  if 


wouldn’t  want  to  give  stale 
quotes.” 

Andrew  Goldman,  an  execu¬ 
tive  vice  president  at  The  Is¬ 
land  ECN  Inc.  in  New  York, 
welcomed  the  launch  of  Super¬ 
SOES  as  a  positive  step.  But  he 
stopped  short  of  saying 
whether  Island  would  ever 
consider  the  network  as  its  pri¬ 
mary  automatic  order-execu¬ 
tion  engine. 

In  fact,  Nasdaq  said  in  its 
statement  that  so  far,  no  ECN 
has  indicated  that  it  will  be  a 
full  SuperSOES  participant 
willing  to  accept  automatic  or¬ 
der  executions  against  its 
quotes. 

Meanwhile,  Nasdaq  spokes¬ 
man  Scott  Peterson  said  the 
June  29  outage  won’t  affect  the 
launch  of  SuperSOES. 

Software  problems  have 
plagued  the  stock  exchange’s 
SOES.  Last  year,  trading  had  to 
be  halted  at  least  five  times  for 
up  to  11  minutes  because  of 
slowdowns  in  the  network, 


the  prices  came  down,  more 
people  would  [subscribe].” 

Foster,  who  said  he  also  sub¬ 
scribes  to  Earthlink,  said  Met¬ 
ricom  needs  to  be  more  ag¬ 
gressive  in  marketing  its  prod¬ 
uct  in  order  to  survive.  Howev¬ 
er,  he  said,  “if  they  fail,  there 
will  be  someone  else”  to  take 
their  place. 

Edwin  Robertson,  technolo¬ 
gy  director  at  Corpo¬ 
rate  Financial  Ser¬ 
vices  in  Philadelphia, 
said  he  used  the  ser¬ 
vice  on  a  trial  basis 
about  six  months  ago 
but  decided  not  to 
subscribe.  “They 
couldn’t  cover  the  areas  I 
needed,”  he  said.  “I  live  in 
Maryland,  but  the  only  place  I 
could  get  a  good  [connection] 
was  in  Philadelphia.” 

Robertson  said  Metricom’s 
only  hope  is  to  solidify  its  in¬ 
frastructure.  “People  have  to 
have  access  to  the  Web 
through  [Metricom’s]  product 
[wherever  they  are].  Right 
now,  it’s  like  buying  a  car  with 
no  tires.” 


AT  A  GLANCE 


SuperSOES 

According  to  Nasdaq.  SuperSOES  is  a  re¬ 
vised  version  of  the  Small  Order  Execution 
System,  its  current  automatic  execution 
trading  system.  SuperSOES  will  become 
the  primary  order-routing  and  auto¬ 
matic  execution  system  for  Nasdaq 
National  Market  securities.  At  the  same 
time,  these  enhancements  will  re-establish 
SelectNet  as  a  nonliability  system  for  order 
delivery  and  negotiation. 


which  is  provided  by  World¬ 
Com  Inc.  “We  have  resolved 
this  issue  and  will  continue  to 
work  with  Nasdaq  to  take  all 
steps  necessary  to  ensure  it 
does  not  recur,”  WorldCom 
CEO  and  President  Bernard  J. 
Ebbers  said  in  a  statement. 

A  Nasdaq  official  said  the 
most  recent  shutdown  was 
caused  by  a  WorldCom  techni¬ 
cian  who  entered  a  command 
into  the  live  network  instead  of 
the  test  network  on  which  he 
was  running  a  program.  I 


Ricochet  also  faces  increas¬ 
ing  competition  from  other 
providers  of  both  wireless  and 
wired  services,  Dulaney  noted. 
“People  in  their  homes  are  go¬ 
ing  to  use  high-speed  [land¬ 
line  connections];  people  in 
airports  are  going  to  use 
802.11b,”  he  said. 

The  802.11b  wireless  LAN 
standard  operates  at  up  to  11M 
bit/sec.  The  Ricochet  service 
tops  out  at  128K  bit/sec. 

Metricom  offers  its  high¬ 
speed  service  in  Atlanta,  Balti¬ 
more,  Dallas-Fort  Worth,  Den¬ 
ver,  Detroit,  Houston,  Los  An¬ 
geles,  Minneapolis-St.  Paul, 
New  York,  Philadelphia,  Phoe¬ 
nix,  San  Diego  and  the  San 
Francisco  Bay  area.  It  offers  a 
28.8K  bit/sec.  service  in  Seattle 
and  Washington. 

The  bankruptcy  announce¬ 
ment  follows  a  troubled  start 
to  the  year  for  Metricom.  In 
February,  Timothy  Dreisbach 
resigned  as  the  company’s 
chairman  and  CEO.  In  March, 
the  company  announced  plans 
to  lay  off  about  25%  of  its  800 
employees.  ► 


IDG  News  Service  correspon¬ 
dent  Douglas  F.  Gray  con¬ 
tributed  to  this  report. 


Metricom  Files  for  Bankruptcy  Protection 
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How  to  Contact  APC 

Call:  (888)  289-APCC 

use  the  extension  on  the  reverse  side 

Fax:(401)  788-2797 

Visit  http://promo.apc.com 

use  the  key  code  on  the  reverse  side 


Legendary  Reliability 


Some  VoIP  conversations  should  be 
interrupted,  but  never  by  power  problems 


APC  provides  all  the  components  necessary  for  an  end-to-end 
power  protection  solution  for  the  VoIP  environment. 


The  7  pieces  of  the  VoIP  availability  puzzle 


•  Clean,  continuous  power  as  well  as  "ride-through"  power  during 
brownouts,  surges  and  spikes. 

•  Extended  back-up  power  in  the  event  of  an  extended  power  outage. 

•  Redundant,  hot-swappable  and  scalable  components  to  allow  growth  as  well 
as  service  without  interruption. 

•  Instant  notification  of  critical  power/UPS  issues. 

•  Ability  to  remotely  control  selected  power  outlets  in  order  to  reboot 
hung  switches. 

•  Ability  to  ensure  optimal  temperature  and  humidity  within  remote  closets. 

•  Ability  to  keep  track  of  and  maintain  health  of  power  protection  systems 

across  the  WAN,  over  time. 

k _ _ _ v 


APC  provides  all  the  components  necessary  for  end-to-end  power  protection 
solutions  for  the  VoIP  environment  -  visit  apcc.com/buy/  and  see  what 
Legendary  Reliability™  can  do  for  your  business. 


Symmetra*  RM 

The  new  Symmetra  RM  puts  the 
high  availability  of  the  proven  and 
patented  Symmetra®  Power  Array” 
technology  in  a  rack-mountable  form 
Through  the  included 


Web/SNMP  Management  Card,  you 
can  monitor  and  configure  your  APC 
Symmetra  RM  to  shut  down  and  reboot  your  systems, 
receive  e-mail  alerts  and  view  the  event  log. 


Remote  Monitoring 

APC  monitors  all  UPS  parameters,  tailored  to  your 
desired  response.  Regular  UPS  parameter  and 
event  reports  are  issued  with  event  frequency, 
duration,  and  resolution,  offering  immediate 
enhancements  to  your  investment. 


- 


MasterSwitch™  VM 

Provides  the  ability  to  monitor  the  current 
draw  and  set  alarm  thresholds,  based  on 
customer  requirements,  while  still  providing 
the  remote  on/off/reboot  capabilities  found  in 
the  MasterSwitch  series.  In  addition,  it 

mounts  vertically,  requiring  zero  U  of 
valuable  rack  space. 


Environmental  Monitoring  Card 

Works  with  your  APC  Smart-UPS®  or^^wp. 
Matrix-UPS®  to  monitor  ambient 
temperature,  humidity  and  other  ^ 

environmental  conditions.  '0+*/ 


PowerChute®  Inventory  Manager 

An  invaluable  software  tool  for  anyone  with  a 
large  number  of  APC  UPSs  spread 
across  a  wide  geographic  area.  Via 
^  I  SNMP-enabled  APC  UPSs,  schedule 
1  a  the  software  to  gather  information 
tgp  U©  from  UPSs,  ^en  se'ect  anY  one 
—a.  s W  of  the  eleven  predefined  reports. 


WAVAVAV 


Other  APC  products  for  the 

VolP/Rack  environment: 

•  KVM  Switches  provide  one  centralized  control 
point  for  up  to  64  servers. 

•  ProtectNet  rack-mounted  data-line  protection. 

•  PowerNet  Manager  collects  UPS/power  status 
information  for  fast  problem  diagnosis 

•  Cable  Interface  Kits  provide  direct  communication 
between  UPSs  and  desktops,  workstations  and 
servers. 

•  2-Post  Racks  /  4-Post  Open  Frame  Racks 


Solaris. 

10' 

m 

Microsoft* 
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HPOpenView 

COMPATIBLE 

Symmetra  RM  is  easily  manageable  with  the 
industry-leading  network  platforms. 


By  utilizing  APCi  PowerNet  for  CiscoWorks2000.  which 
integrates  APC's  power 
management  software 
with  CiscoWorks2000.  Cisco 
customers  now  can  easily 
manage  APC  power  protection  and  network  power  control 
devices  from  the  same  Web  browser  as  Cisco  equipment 


— 

Cisco  Systems 

J  Verified 


INFORMATIONS/ ffK 

500 


APC  was  named  to  the  2000 
InformationWeek  500  ranking  of 
the  top  IT  innovators  (09/1 1/00). 


Legendary  Reliability” 


Enter  to  win  NEW  Server  room  air  conditioning  unit  from  APC!  Enterprise  Availability  Kit 
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Oracle  Users  Cautiously  Optimistic  About  Pricing  Changes 


BY  DAN  VERTON 

Users  are  applauding  Oracle 
Corp.’s  move  to  cut  database 
software  prices  and  discon¬ 
tinue  the  controversial  power- 
unit  pricing,  but  they’re  taking 
a  wait-and-see  approach  to 
Oracle’s  new  cost-conscious 
view  of  the  world. 

Oracle  CEO  Larry  Ellison 
announced  the  move  to  per- 
processor  licensing  last  month, 
when  he  unveiled  the  com¬ 
pany’s  Oracle9i  database.  The 
change  came  after  a  third- 
quarter  earnings  shortfall  and 
a  year  of  negative  publicity 
that  was  fueled  by  user  discon¬ 
tent  with  Oracle’s  power-unit 
pricing  model,  which  many 
characterized  as  exorbitant. 

Now,  with  per-processor 
based  fees  that  reduce  costs 
for  some  configurations  by  as 
much  as  15%  to  18%  compared 
with  the  power-unit  approach, 
users  said  they’re  optimistic 
about  their  futures  as  Oracle 
customers. 

However,  most  said  the  econ¬ 
omy  must  improve  before  they 
can  buy  more  software. 

“The  new  pricing  is  much 
more  acceptable  and  compet¬ 
itive,”  said  Doug  Cummings, 
manager  of  new  technologies 
at  Andover-Mass.-based  Vicor 
Corp.  “I  think  that  the  overall 
reaction  to  the  policy  change  is 
positive.  [However],  with  the 
economy  like  it  is,  we  are  just 
not  spending  like  we  were  in 
the  past.” 

Rich  Niemiec,  president  of 
the  International  Oracle  Users 
Group-Americas,  a  Chicago- 
based  organization  that  repre¬ 
sents  Oracle’s  database  users, 
said  users  are  telling  him  that 
the  price  changes  came  at  the 
perfect  time.  “The  main  things 
that  I’m  hearing  is  that  pricing 
is  much  simpler  to  understand 
[and]  the  price  reductions 
come  at  a  great  time  —  when 
times  are  tougher,”  Niemiec 
said.  “It  keeps  people  on  Ora¬ 
cle  and  thinking  about  Ora- 
cle9i  and  when  to  move  to  it.” 

Other  users,  like  Michael 
Karaman,  vice  president  and 
chief  technology  officer  for 
product  development  at  The 


Medstat  Group  Inc.  in  Ann 
Arbor,  Mich.,  agreed  that  the 
price  changes  are  welcome  but 
said  it’s  too  early  to  see  any 
impact.  “This  is  certainly  a 
move  in  the  right  direction,” 
said  Karaman. 

Oracle’s  pricing  spokesper¬ 
son  was  unavailable  for  com- 


BY  DAN  VERTON 

OMPANIES  TODAY 

are  at  as  much  risk 
of  falling  victim  to 
security  informa¬ 
tion  overload  as 
they  are  of  getting  hacked.  The 
number  of  security  advisory 
services  that  claim  to  offer  a 
way  to  stay  ahead  of  the  hun¬ 
dreds  of  technical  vulnerabili¬ 
ties  discovered  each  day  has 
made  it  virtually  impossible 
for  companies  to  know  for 
sure  if  they’re  getting  the  right 
information. 

TruSecure  Corp.,  a  Reston, 
Va.-based  security  firm,  claims 
it  has  an  answer.  Using  the 
client  base  of  36,000  Internet- 
connected  systems  it  monitors, 
TruSecure  is  developing  a 
threat  database  that  it  says  will 
rightfully  shift  the  discussion 
toward  a  more  effective  secu¬ 
rity  model:  from  one  of  what 
vulnerabilities  are  out  there  to 
one  that  highlights  what  hack¬ 
ers  are  actually  doing. 

Other  organizations  use  a 
similar  approach,  but  the  Tru¬ 
Secure  database  would  power 
the  first  alert  service  based 
exclusively  on  threat  data  per¬ 
taining  to  hacker  activity  and 

morT 

For  more  on  security,  see  page  22  and  our 
In  Depth  section  starting  on  page  33. 


ment  last  week  because  of 
the  holiday,  and  attempts  to 
speak  with  someone  else  were 
unsuccessful. 

Yet,  while  Oracle’s  move  to 
per-processor  pricing  resulted 
in  price  reductions  for  users, 
some  still  say  the  $40,000  per- 
processor  price  tag  for  the  en- 


not  on  vulnerabilities  in  gener¬ 
al.  “A  vulnerability  without  a 
threat  isn’t  worrisome,”  said 
Peter  Tippett,  TruSecure’s 
chief  technologist.  “We’re  fo¬ 
cused  on  risk  . . .  where  there 
are  both  vulnerable  systems 
and  people  shooting.” 

The  threat  database  will 
complement  TruSecure’s  vul¬ 
nerability  database.  It  will  be 
offered  in  conjunction  with  the 
company’s  quarterly  list  of  the 
top  10  hacker  exploits  that  it 
says  are  responsible  for  99%  of 
all  successful  network  intru¬ 
sions  (see  chart). 

“If  we  focus  on  protecting 
against  the  stuff  that  really 
happens,  then  we’re  protecting 
against  the  relevant  stuff,”  he 
said.  “A  quarterly  upgrade  of 
systems  gets  you  a  twentyfold 
reduction  of  risk.”  TruSecure 
couldn’t  say  when  the  database 
would  be  completed. 

Other  security  experts  and 
analysts  agreed  with  Tippett’s 
general  argument  and  acknowl¬ 
edged  the  need  for  threat  infor¬ 
mation.  But  most  questioned 
the  ability  of  any  one  vendor  to 
collect  enough  detailed  infor¬ 
mation  to  be  able  to  determine 
what  exploits  hackers  are  actu¬ 
ally  using.  They  also  pointed  to 
potential  problems  with  Tru¬ 
Secure’s  focus  on  what  Tippett 
calls  “the  easy  stuff.” 


terprise  software  edition  is  a 
little  high  compared  with  the 
$22,000  IBM  charges  for  a  DB2 
enterprise  license.  John  Chad¬ 
wick,  a  U.K.  government  Ora¬ 
cle  user,  said  the  price  of  an 
Oracle  database  could  still  put 
off  small  and  medium-size 
clients  in  the  U.K.,  where  funds 


“They’re  completely  right. 
Looking  at  a  hundred  vulnera¬ 
bilities  a  day  does  nothing  for 
you,”  said  Tim  Belcher,  chief 
technology  officer  at  security 
monitoring  firm  RipTech  Inc. 
in  Alexandria,  Va.  “However, 
I’m  sure  that  without  a  very 
good  monitoring  base,  it  would 
be  very  difficult  to  tell  what  is 
being  done  successfully.” 

One  organization  that  tries 
to  offer  both  vulnerability  re¬ 
porting  and  threat  data  is  the 
CERT  Coordination  Center  at 
Carnegie  Mellon  University  in 
Pittsburgh. 

“We  go  to  great  pains  to  un¬ 
derstand  which  vulnerabilities 
are  most  serious  and  which  are 
most  likely  to  be  exploited  by 
hackers,”  said  Shawn  Hernan, 
team  leader  for  vulnerability 


are  even  harder  to  come  by. 

“Customers  are  still  very 
much  in  ‘Let’s  digest  this  all 
before  we  go  ahead  with  any¬ 
thing’  mode,”  said  James  Gov¬ 
ernor,  an  analyst  at  Illuminata 
Inc.  in  Nashua,  N.H.  Users  are 
weighing  what  the  changes  will 
mean  for  them  in  practice,  he 
said.  “I  don’t  think  Oracle  can 
escape  the  premium-pricing 
tag  overnight.  I  would  say  it’s 
still  a  little  too  early  to  call.”  I 


handling  at  CERT. 

Hernan  also  warned  against 
focusing  too  much  energy  on 
the  easy  exploits. 

“Intruders  are  adaptive  and 
trying  to  get  too  simplistic  just 
causes  the  intruders  to  pick 
something  else,”  he  said.  “If 
you  fix  the  top  10  [vulnerabil¬ 
ities],  they’ll  pick  No.  11  or 
No.  26.” 

John  Pescatore,  an  analyst  at 
Stamford,  Conn. -based  Gart¬ 
ner  Inc.,  acknowledged  that 
analyzing  threats  has  its  mer¬ 
its.  But  he  also  questioned  the 
ability  to  know  for  sure  what 
exploits  are  being  used  and 
warned  that  by  focusing  too 
much  on  random  attacks,  some 
companies  could  be  lulled  into 
thinking  they  aren’t  vulnerable 
to  specific,  targeted  attacks. 

“If  the  vulnerability  exists, 
sooner  or  later  someone  will 
shoot  at  it,”  said  Keith  Morgan, 
chief  of  information  security 
at  Terradon  Communications 
Group  LLC  in  Nitro,  WVa. 
“Plug  them  all.  But  plug  the  hot 
ones  first.”  I 


What  Have  Hate  Been  Up  to  Lately? 

The  top  10  successful  electronic  attacks  in  the  second  quarter 

as  identified  by  TruSecure/ICSA  Labs: 

EXF  LOIT 

KNOWN  AS 

I  1.  W32  worm 

Hybris 

2.  Unix  RPC  Services 

rpc.statd,  rpc.mountd, 

(sadmind/IIS  worm) 

rpc.sadmind 

1  3.  W32  worm 

Magister 

4.  DNS  BIND 

tsig,  iquery 

1  5.  MSFTIIS 

Unicode../RDS 

(sadmind/IIS  worm) 

8.  ftpd 

Wu  FTP 

7.  lpd 

LPRNG  overflows 

8.  NETBIOS  Shares 

137, 138, 139  scans 

[  9.  MS  w32  trojan_____ 

Sub7  li 

10.  Short  Lived  Worm 

Home  Pages 
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Firm  Tracks  Threats, 
Not  Vulnerabilities 

TruSecure  aims  to  monitor  what  hackers 
really  exploit;  some  say  that’s  not  so  easy 


Ewer  wonder  how  those 


Chances  are,  we  had  something  to  do  with  it.  Fact 
is,  98  out  of  the  FORTUNE  100  count  on  business 
intelligence  solutions  from  SAS  to  explore  infor¬ 
mation,  better  understand  customer  and  supplier 
relationships,  predict  behavior,  and  unlock  hidden 
opportunities.  Today,  SAS  is  leading  the  industry 
in  bringing  this  same  level  of  intelligence  to  the 
world  of  e-business.  With  e-Intelligence  from 
SAS,  you  can  capture,  analyze  and  react  to  data 
gathered  at  any  point  of  contact.  And  then  just  as 
quickly  disseminate  new  findings  to  anywhere 
they’re  needed  across  your  extended  enterprise. 
To  get  the  answers  you’re  searching  for,  call  us 
today  at  1-800-727-0025  or  stop  by  www.sas.com. 


T he  Power  to  Know :« 


:  tm  e-lntelligence 


' 
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BRIEFS 


Dot-com  Layoffs  Down 

Dot-com  layoffs  are  at  their  lowest 
level  since  November,  while  overall 
job  cuts  in  the  U.S.  in  June  were  up 
56%  from  the  previous  month,  ac¬ 
cording  to  reports  by  outplacement 
firm  Challenger,  Gray  &  Christmas 
Inc.  The  Chicago-based  firm  report¬ 
ed  last  week  that  layoffs  at  Internet- 
related  companies  fell  in  June  for 
the  second  consecutive  month  to 
9,216,  a  decrease  of  31%  from 
May’s  13,419  cuts.  Layoffs  in  May 
fell  24%  from  April’s  record  high  of 
17,554.  June’s  cuts  are  the  lowest 
since  November’s  8,789. 


NextWave,  Lucent 
Sign  3G  Network  Deal 

NextWave  Telecom  Inc.  has  signed 
an  agreement  with  Lucent  Technolo¬ 
gies  Inc.  to  build  the  first  phase  of  a 
third-generation  (3G)  digital  wireless 
network,  using  the  spectrum  Next- 
Wave  regained  after  a  court  battle 
with  the  Federal  Communications 
Commission.  Under  the  $100  million 
all-cash  deal,  Murray  Hill,  N.J.-based 
Lucent  will  begin  construction  of  a 
wireless  voice  and  data  network  in 
Detroit  and  Madison,  Wis.  Lucent 
will  also  deploy  the  initial  phase  of  a 
data-only  network  in  NextWave’s  re¬ 
maining  93  markets,  Hawthorne, 
N.Y.-based  NextWave  said.  That 
work  is  expected  to  be  completed 
within  the  next  10  months. 


EMC  Sales  Fall  Short 

Once  again  blaming  the  slowdown 
in  IT  spending  brought  on  by  the 
softening  economy,  EMC  Corp.  last 
week  warned  that  its  financial  re¬ 
sults  will  fall  well  short  of  expecta¬ 
tions  for  the  second  straight  quar¬ 
ter.  EMC  now  expects  revenue  of 
about  $2  billion,  18%  lower  than 
the  $2.43  billion  Wall  Street  ana¬ 
lysts  had  forecast.  The  Hopkinton, 
Mass.-based  data  storage  firm  indi¬ 
cated  that  second-quarter  profits 
will  likely  be  only  about  one-third 
of  what  was  expected.  Earnings 
should  total  between  $88  million 
and  $132  million,  EMC  said,  which 
is  far  lower  than  the  $375  million 
figure  analysts  had  predicted. 
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BY  MARC  L.  SONGINI 

S  EXPECTED,  the 
board  and  man¬ 
agement  team  at 
Computer  Asso¬ 
ciates  Interna¬ 
tional  Inc.  are  showing  stiff  re¬ 
sistance  to  Texas  entrepreneur 
Sam  Wyly’s  bid  to  oust  them. 

First,  they  filed  a  lawsuit  try¬ 
ing  to  block  Wyly’s  takeover 
attempt.  Then,  last  week,  they 
moved  to  boost  CA’s  bottom 
line  by  announcing  that  top  ex¬ 
ecutives  won’t  receive  any 
bonuses  in  fiscal  2002. 

In  a  press  release  on  its  Web 
site  regarding  its  preliminary 
proxy  statement,  CA  said  com¬ 
pany  President  and  CEO  San- 
jay  Kumar  and  founder  and 
Chairman  Charles  Wang  this 
year  will  have  their  compensa¬ 
tion  limited  to  base  salary, 
benefits  and  stock  options. 


Wang’s  salary  is  $1  million,  and 
Kumar’s  is  $900,000. 

The  move  appears  to  be  an 
attempt  to  win  the  favor  of 
shareholders,  who  have  seen 
CA’s  top  executives  receive 
massive  compensation  during 
a  time  of  lackluster  revenue 
growth.  Shareholders  are 
scheduled  to  vote  Aug.  29  on 
whether  to  keep  the  existing 
board  or  replace  it  with  a 
board  and  management  team 
led  by  Wyly. 

But  a  spokesman  for  the 
Islandia,  N.Y.-based  company 
said  the  bonus  cuts  had  noth¬ 
ing  to  do  with  the  pending 
vote.  Wang  and  Kumar  didn’t 
receive  performance-based 
awards  because  of  a  “change  in 
the  firm’s  business  model, 
which  changed  revenue  recog¬ 
nition  and  resulted  in  a  net  loss 
for  the  year,”  according  to  a 


CA  Fights  Back 


Company  files  lawsuit  to  stop  Wyly’s 
takeover,  cuts  bonuses  for  top  executives 


statement  issued  by  CA. 

Wyly,  who  last  year  sold  his 
software  firm,  Sterling  Soft¬ 
ware  Inc.,  to  CA,  last  month 
announced  his  intentions  to  re¬ 
place  Wang  as  chairman  and  to 
break  the  company  into  four 
independent  units.  CA  quickly 
fought  back  by  filing 
a  lawsuit  to  block 
Wyly,  based  in  part 
on  a  noncompete 
clause  in  the  Sterling 
sales  agreement. 

A  spokesman  for 
Wyly’s  Dallas-based 
investment  company, 

Ranger  Governance 
Ltd.,  which  is  spear¬ 
heading  the  proxy 
fight,  called  CA’s  law¬ 
suit  baseless  and  said 
it  involves  a  “tortured 
misreading  of  the 
noncompete  agree¬ 
ment.”  He  said  the 
decision  not  to  award 
executive  bonuses  is 
immaterial. 

“There  are  docu- 


CHARLESWANG, 
CA  chairman 


SANJAY  KUMAR,  CA 
president  and  CEO 


mented  years  of  shareholder 
abuse,  and  one  instance  of  their 
changing  their  egregious  com¬ 
pensation  does  not  change 
years  of  lackluster  perfor¬ 
mance,”  the  spokesman  said. 

In  the  proxy  statement,  Ku¬ 
mar  said  Wyly’s  plans  to  break 
the  company  into  four  organi¬ 
zations  just  don’t  make  sense. 

“In  addition  to  decreasing 
the  company’s  ability  to  offer 
integrated  software  solutions 
and  engage  in  cross¬ 
selling,  Mr.  Wyly’s 
plan  would  increase 
overhead  costs  and 
potentially  be  disrup¬ 
tive  to  employees,” 
he  stated. 

Analyst  Rick  Ptak 
at  Hurwitz  Group 
Inc.  in  Framingham, 
Mass.,  agreed.  “Wyly’s 
plan  sounds  like  a 
‘small  is  beautiful’ 
fantasy,”  he  said.  “Cus¬ 
tomers  are  looking 
for  solutions  to  com¬ 
prehensive  business 
problems,  not  a 
bunch  of  indepen¬ 
dent  tools  they  have 
to  assemble  into  a 
solution.”  I 


CA  World  to  Push  Business 
Process  Management  Tools 


Analysts  say  more 
user  support  needed 
for  complex  features 

BY  MARC  L.  SONGINI 

This  week,  customers  of  Com¬ 
puter  Associates  International 
Inc.  will  get  a  glimpse  of  the 
company’s  latest  iteration  of  its 
flagship  network  management 
application  and  hear  how  CA 
intends  to  execute  its  e-busi¬ 
ness  plans. 

However,  analysts  suspect 
that  the  Islandia,  N.Y.-based 
company  is  going  to  have  some 
trouble  helping  users  fully 
grasp  the  features  of  some  of  its 
more  complex  new  products. 

At  CA  World,  which  opened 
Sunday  in  Orlando,  the  compa¬ 


ny  is  expected  to  unveil  Uni¬ 
center  3.0,  the  next  generation 
of  its  management  product.  In 
addition,  it  plans  to  announce 
that  it  will  sell  pieces  of  Uni¬ 
center  as  stand-alone  prod¬ 
ucts,  freeing  customers  from 
having  to  buy  the  entire  suite, 
said  Tarkan  Maner,  vice  presi¬ 
dent  of  corporate 
marketing  at  CA. 

The  company  will 
also  expand  the  num¬ 
ber  of  application 
programming  inter¬ 
faces  available  for 
users  to  tie  their  CA 
products  to  heteroge¬ 
neous  supply  chain 
management,  enter¬ 
prise  resource  plan¬ 
ning  and  customer 
relationship  manage¬ 


ment  applications,  which  will 
allow  business  process  man¬ 
agement  using  Unicenter. 

Everyone  has  been  talking 
about  interoperability  and  busi¬ 
ness  process  management,  but 
CA  is  actually  starting  to  deliv¬ 
er  on  it,  said  Rick  Ptak,  an  ana¬ 
lyst  at  Hurwitz  Group  Inc.  in 
Framingham,  Mass. 

There  are  challenges,  how¬ 
ever.  In  particular,  users  are 
having  a  difficult  time  under¬ 
standing  the  Jasmine  ii  middle¬ 
ware  CA  announced  last  year. 

“I’m  still  learning  [about  Jas¬ 
mine],  and  I’m  im¬ 
pressed  by  its  capa¬ 
bilities.  But  I’m  start¬ 
ing  to  think  that  CA 
does  a  great  job  on 
the  spin  machine 
[but]  can’t  seem  to 
communicate  about 
those  technologies,” 
said  Jeff  Adams,  IT 
director  at  Canton, 
Ohio-based  The  Bel- 
den  Brick  Co. 

Adams  said  Belden 


Brick  has  had  Jasmine  ii  in 
place  since  May  to  tie  together 
12  databases,  but  the  more  uses 
the  company  finds  for  it,  the 
more  problems  that  arise. 

Belden  also  uses  Unicenter 
Framework,  and  Adams  said 
he’s  interested  in  exploring  the 
product  line’s  business  process 
management  capabilities.^wv- 
ever,  he  said  that  although  he 
believes  the  teclmology  is 
sound,  he  isn’t  sure  CA  has  con¬ 
sultants  with  the  skills  needed 
to  map  his  company’s  work¬ 
flows  to  the  applications.  There 
aren’t  many  people  who  under¬ 
stand  how  to  apply  technology 
to  business,  he  added. 

Despite  CA’s  business  pro¬ 
cess  management  offerings,  it 
still  has  its  work  cut  out  for  it, 
since  competitors  BMC  Soft¬ 
ware  Inc.  in  Houston  and 
Austin,  Texas-based  Tivoli 
Systems  Inc.  have  also  been 
pushing  on  that  front,  said 
Corey  Ferengul,  senior  pro¬ 
gram  director  at  Meta  Group 
Inc.  in  Stamford,  Conn.  I 


JEFF  ADAMS:  “CA 
can’t  seem  to  com¬ 
municate”  about 
its  technology. 


SIEMENS 


We're  making  business  mobile.  See  how  your  business  can  profit  at:  www.sbs-usa.siemens.com/mobilebiz.htm 


The  server  keeps  crashing 


The  software  is  out  of  date 


The  network  is  always  down 


You  wonder  how  you'll  manage 


Make  your  business  mobile 

You  know  the  feeling:  time  is  short,  but  your 
working  day  is  getting  longer.  Your  competitors 
are  only  a  mouseclick  away  from  your  clients 
and  you're  supposed  to  worry  about  network 
connections  and  transmission  rates? 

Why  not  concentrate  on  what  you  do  best  and 
leave  the  rest  to  us?  Let  us  help  you: 

boasts  a  world 

of  expertise  in  IT  operations  for  your  business 
processes. 

In  fact,  we're  the  only  provider  to  give  you  the 
full  range  of  mobile  business  solutions. 

This  way,  you  can  watch  your  visions  take  shape, 
even  with  your  eyes  closed. 

Just  tell  us  what  -  we'll  handle  the  how. 
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IBM  Service  Follows 

Products  After  Delivery 


Aims  to  help  manufacturers  track  unit-level  data,  reduce  costs 


BY  JAIKUMAR  VIJAYAN 

IBM  HAS  LAUNCHED  a 
service  aimed  at  helping 
manufacturing  compa¬ 
nies  track  unit-level  in¬ 
formation,  potentially 
reducing  product  warranty 
costs  and  driving  additional 
spare  parts  sales. 

The  service,  called  IBM  Ser- 
viceAfterSales,  is  offered  by 
IBM’s  Product  Lifecycle  Man¬ 
agement  (PLM)  group.  It  was 
designed  to  improve  a  compa¬ 
ny’s  ability  to  track  the  perfor¬ 
mance  and  usage  history  of  a 
product  after  it  has  been 
shipped  to  a  customer. 

Using  the  centralized  ser¬ 
vice,  companies  will  be  able  to 
keep  tabs  on  key  product-diag¬ 
nostics  information,  usage  and 
repair  histories,  maintenance 
and  service  records,  and  de¬ 
tailed  case-based  repair  sce¬ 
narios. 

French  automaker  PSA  Peu¬ 
geot  Citroen  SA,  for  instance, 
is  using  the  service  to  perform 
Internet-based  remote  diag¬ 
nostics  on  its  cars,  said  Alan  A. 
Chakra,  IBM’s  business  unit 
executive  in  charge  of  the  new 
service. 

Using  onboard  diagnostics 
and  Internet  links  at  dealer  lo¬ 
cations,  a  Peugeot  vehicle  can 
report  fault  conditions  to  a  re¬ 
mote  service  facility  main¬ 
tained  by  IBM,  which  then  ad¬ 
vises  technicians  on  the  cor¬ 
rective  steps  that  need  to  be 
taken.  Chakra  said. 

Another  example  is  a  recent 
wireless  remote  monitoring 
and  control  service  called 
Myappliance.com  that’s  being 
offered  by  Farmington,  Conn.- 
based  air  conditioner  maker 
Carrier  Corp.  and  IBM.  Among 
other  things,  the  service  allows 
Carrier’s  new  Web-enabled  air 
conditioners  to  send  fault 
codes  and  other  diagnostic 


alerts  instantaneously  via  mo¬ 
bile  phones,  e-mail  or  fax  to 
the  company’s  service  techni¬ 
cians,  Chakra  claimed. 

This  kind  of  unit-level  inter¬ 
action  helps  companies  reduce 
repair  times  and  avoid  the 
common  mistake  of  unneces¬ 
sarily  replacing  good  parts,  an¬ 
alysts  said. 

It  also  allows  companies  to 
gather  information  that  can  be 
used  to  anticipate  and  design 
around  future  problems,  said 
Andy  Chatha,  president  of 
ARC  Advisory  Group  Inc.,  a 
Dedham,  Mass.-based  manu¬ 
facturing  consultancy. 

These  kinds  of  capabilities 
are  crucial  for  manufacturers 
that  are  looking  to  aftermarket 
service,  maintenance  and  re¬ 
pair  for  opportunities  to  cut 
costs  and  grow  revenues,  espe¬ 
cially  in  a  slow  economy, 
Chatha  said. 

Despite  the  potential  up¬ 
front  costs,  “there’s  a  lot  of 
pressure  on  manufacturing 
companies  to  develop  systems 
like  these”  because  of  their 
long-term  return  on  invest¬ 
ment,  he  added. 

Putting  together  the  pieces 
needed  to  deliver  such  ser¬ 


vices  isn’t  trivial,  said  Ken 
Amann,  an  analyst  at  CIMdata 
Inc.  in  Ann  Arbor,  Mich. 

IBM  is  working  with  other 
companies  to  integrate  the 
components  of  an  organi¬ 
zation’s  product  life  cycle 
management  system,  such  as 
product  services,  customer 
support,  configuration  and  di¬ 
agnostics  services,  as  well  as 


aftermarket  service  support 
and  management  teams. 

“The  good  news  is  that  all 
the  pieces  are  there  already,” 
Amann  said.  And  advances  in 
areas  such  as  wireless  and 
broadband  technologies  are 
making  deployment  easier,  he 
added.  The  key  lies  in  integrat¬ 
ing  these  different  parts  and 
figuring  out  how  to  optimally 
gather,  store,  access,  share  and 
mine  the  information  that’s 
generated  from  such  a  system, 
he  explained.  I 


Managing  the 
Product  Life  Cycle 

IBM’s  PLM  partners  include 
the  following: 

►  Enigma  Inc.:  Offers 
technology  that  helps  manu¬ 
facturers  combine  product 
information  with  e-com¬ 
merce  and  decision-support 
systems. 

►  Dassault  System es 

SA:  Supplies  technologies 
to  graphically  define,  share 
and  manage  product,  pro¬ 
cess  and  resource  informa¬ 
tion  throughout  the  whole 
product  life  cycle. 

►Cadam  Systems  Co.: 

Sells  specialized  desktop 
computer-aided  design  and 
manufacturing  systems. 


Cargill  Launches  Internal  Online  Catalog 


Software  from  Cardonet  will  automate 
procurement  of  supplies  from  70  vendors 


BY  MARK  HALL 

Cargill  Inc.’s  IT  team  this  week 
is  being  trained  on  a  new  cata¬ 
log  management  application 
for  company  employees  who 
purchase  products  online. 

The  $48  billion  Minnetonka, 
Minn.-based  conglomerate  has 
added  the  E-Catalog  Automa¬ 
tion  Platform  from  Santa  Clara, 
Calif.-based  Cardonet  Inc.  to 
automate  its  procurement  op¬ 
erations.  The  upgraded  soft¬ 


ware  includes  both  buyer  and 
seller  catalog  management  ca¬ 
pabilities;  previously,  the  two 
functions  were  offered  in  sepa¬ 
rate  products. 

The  upgrade  also  adds  fea¬ 
tures  such  as  automatic  classi¬ 
fication  of  content  based  on 
preset  rules  and  category-level 
attributes.  These  features  let 
catalog  owners  apply  the  same 
attributes  with  different  rules 
for  each  category. 


MSN  Messenger  Loses  Touch  With  12M 


Users  unable  to 
access  contact  lists 


BY  JENNIFER  DlSABATINO 

About  12  million  users  of  Mi¬ 
crosoft’s  online  instant  mes¬ 
saging  service  lost  access  to 
their  contact  lists  last  week  af¬ 
ter  a  July  3  hardware  failure  at 
the  company’s  headquarters. 
The  problem  had  not  been  re¬ 


solved  by  the  time  of  Comput- 
erworld’ s  print  deadline  Friday 
afternoon. 

“On  a  server,  a  disk  con¬ 
troller  failed  and  a  backup  con¬ 
troller  had  an  error,”  said  a  Mi¬ 
crosoft  Corp.  spokeswoman. 
“It’s  no  small  potatoes,  and 
they’re  taking  this  very  seri¬ 
ously.” 

The  service,  MSN  Messen¬ 
ger  Service,  has  36  million 
users  worldwide,  so  about  one- 


third  of  the  users  were  affect¬ 
ed,  said  the  spokeswoman.  The 
data  wasn’t  lost,  she  said,  users 
just  couldn’t  get  access  to  it. 

The  spokeswoman  said  the 
problem  wasn’t  linked  to  a 
configuration  glitch  with  Mi¬ 
crosoft’s  new  Passport  service, 
which  lets  users  register  a  sin¬ 
gle  name  and  password  that 
works  at  various  Web  sites, 
eliminating  the  need  to  rereg¬ 
ister  at  every  site.  N 


Jeff  Robles,  Cargill’s  elec¬ 
tronic  procurement  architec¬ 
ture  and  implementation 
leader,  said  his  team  will  ini¬ 
tially  focus  on  cutting  time  out 
of  the  procurement  process. 

“If  you  can  take  five  pur¬ 
chase  orders  and  put  them  into 
one,  you’re  also  going  to  be 
saving  money,”  he  said. 

Establishing  Standard  Rules 

Cargill  will  establish  stan¬ 
dard  rules  for  categorizing 
content  so  online  catalog  man¬ 
agers  won’t  have  to  review  and 
categorize  content  for  every 
new  catalog. 

For  example,  acronyms  that 
are  used  in  catalogs  will  be 
identified  and  either  automati¬ 
cally  translated  into  their  full 
names  or  brought  to  the  atten¬ 
tion  of  a  catalog  manager  for 
explanations. 

Cargill’s  procurement  sys¬ 
tem  has  70  suppliers  that  offer 
a  variety  of  office  and  building 
supplies,  Robles  explained.  He 
said  one  of  the  company’s 
goals  will  be  to  create  a  pre¬ 
ferred  list  of  suppliers. 

Cargill  wouldn’t  disclose 
what  it’s  spending  on  the  proj¬ 
ect,  but  pricing  for  the  Car¬ 
donet  software  starts  at 
$125,000. 1 


for  a  limited  time,  a  small  investment 
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hp  vectra  vl400 

Intel®  Pentium1  III  Processor  1GHz 
1 28MB  SDRAM 
20GB  Ultra-ATA66  Hard  Drive 
Intel  Direct  3D  AGP  Video 
48X  MAX  CD-ROM 
Integrated  PCI  Audio 
10/100  Base-TNIC 
Microsoft®  Windows®  98  SE 
3  Year,  Next  Business  Day, 
Onsite  Warranty 

$999 

SKU#  P4 1 5 1 T 

you  save  $250 


hp  vectra  vl800 

Intel®  Pentium®  4  Processor  1 .3GHz 
1 28MB  1  RIMM  PC800  RDRAM 
20GB  Ultra-ATA  1 00  7.2K  RPM  Hard  Drive 
ATI  Rage  128  16MB  Video 
48X  MAX  CD-ROM 
Multimedia  KB 
10/100  Base-TNIC 
Microsoft®  Windows®  2000 
3  Year,  Next  Business  Day, 

Onsite  Warranty 

$1,149 

SKU#  P3224T 

you  save  $100 


hp  omnibook  xe3 

Intel®  Pentium®  III  Processor  850MHz 
14.1 -in  XGA  TFT  Display 
128MB  SDRAM 
20GB  Hard  Drive 
1 .44MB  Floppy  Drive 
8X  MAX  DVD-ROM 

Integrated  56K  Modem  and  10/100  LAN 
9-Cell  Lithium-Ion  Battery 
Microsoft®  Windows®  98  SE 
1  Year  Limited  Worldwide  Warranty 

$1,699 

SKU#  F2337WT 

you  save  $300 


hp  netserver  e800 

Intel®  Pentium®  III  Processor  866MHz 
1 33  MHz  Front  Side  Bus 
1 28MB  ECC  SDRAM  Expandable  to  2GB 
Embedded  Dual  Channel  Ultra-2 
SCSI  Controller 
40X  MAX  CD-ROM 
3.5-inch,  1 ,44MB  Flexible  Disk  Drive 
HP  NetServer  Navigator 
3  Year,  Next  Business  Day, 

Onsite  Warranty 

$949 

SKU*  P2457A 

you  save  $490 


hp  netserver  Ip  1  OOOr 

Intel®  Pentium®  III  Processor  866MHz 
1 33MHz  Front  Side  Bus 
256KB  ECC  L2  Cache 
256MB  SDRAM 

Embedded  Dual  Channel  Ultra- 160 
SCSI  Controller 

Dual  Embedded  10/100  Base-TX  NIC 
24X  Max-Speed  IDE  CD-ROM 
3.5"  1 .44MB  Flexible  Disk  Drive 
64-Bit  I/O 

1U  Rack-Optimized  Form  Factor 
3  Year,  Next  Business  Day, 
Onsite  Warranty 

$1,499 

SKU*  P1810A 

you  save  $475 


hp  netserver  Ip  2000r 

Intel®  Pentium®  III  Processor  866MHz 
1 33MHz  Front  Side  Bus 
256KB  ECC  L2  Cache 
256MB  SDRAM 

Embedded  Dual  Channel  Ultra- 160 
SCSI  Controller 

Dual  Embedded  10/100  Base-TX  NIC 
48X  Max-Speed  IDE  CD-ROM 
3.5"  1.44MB  Flexible  Disk  Drive 
3  Open  64-Bit  PCI  Slots 
Redundant  Power  Supply  Option 
2U  Rack-Optimized  Form  Factor 
3  Year,  Next  Business  Day, 
Onsite  Warranty 

$1,999 

SKU*  P1824A 

you  save  $580 


Call  1 .800.307.6397,  contact  your  local  reseller, 
or  visit  www.hp.com/go/bizsku9 


HP  PCs  use  genuine  Microsoft®  Windows® 
www.Microsoft.com/piracy/howtotell 


act  now  to 
save  big  on 
select  desktops, 
notebooks,  and 
servers  from  hp 

For  a  limited  time,  HP  is 
offering  hot  desktops, 
notebooks,  and  servers 
at  very  cool  low  prices. 

Call  toll-free,  see  your 
reseller,  or  visit  our 
website  to  receive 
incredible  deals  on 
these  and  other  high- 
quality  hardware 
solutions  that  can  only 
come  from  HP. 

For  a  limited  time 
only.  Offer  ends 
August  3  1,  2001. 


pentium®/// 


invent 


Price  is  estimated  street  price.  Actual  price  may  vary.  Monitor  not  included.  Intel,  the  Intel  Inside  logo  and  Pentium  are  registered  trademarks  of  Intel  Corporation.  Microsoft,  Windows  and  Windows  logo  are  either 
registered  trodemorks  or  trademarks  of  the  Microsoft  Corporation  in  the  United  States  and/or  other  countries.  ©2001  Hewlett-Packard  Company  All  rights  reserved 


NEWS 


Feds  Asked  to  Boost 
IT  Research  Funding 


Federal  funding  is  the  backbone  of 
the  Internet  and  supercomputing, 
but  future  advances  are  in  jeopardy 
because  of  a  slowing  federal  com¬ 
mitment  to  IT  research,  according 
to  some  IT  leaders.  “We  must  act 
now  to  reinvigorate  long-term  IT 
research,”  said  Eric  Benhamou, 
chairman  of  Santa  Clara,  Calif.- 
based  3Com  Corp.,  during  a  hearing 
of  the  House  Science  Committee’s 
Subcommittee  on  Research  late  last 
month.  “If  we  do  not  take  these 
steps,  the  flow  of  ideas  that  have 
fueled  the  information  revolution 
over  the  past  decades  may  slow  to 
a  trickle,”  Benhamou  said.  The  gov¬ 
ernment  is  slated  to  spend  S1.76 
billion  on  technology  research  ini¬ 
tiatives  during  its  current  fiscal 
year.  The  Bush  administration  has 
asked  for  a  1%  increase  for  the 
coming  year. 


Vendor  Investments  in 
Start-ups  Tanked  in  Q1 

Large  IT  vendors  with  venture  capi¬ 
tal  arms,  which  have  reaped  gener¬ 
ous  returns  on  start-up  investments 
in  recent  years,  significantly  cur¬ 
tailed  investing  during  the  first 
three  months  of  this  year,  according 
to  a  recent  PricewaterhouseCoop- 
ers  survey.  Intel  Corp.,  for  example, 
made  163  investments  in  start-ups 
last  year,  compared  with  only  19 
during  the  first  quarter  of  this  year. 
Cisco  Systems  Inc.  made  only  seven 
investments  in  the  first  quarter, 
compared  with  45  in  all  of  last  year. 


Watch  Those  Links 

Banks  are  being  warned  to  exercise 
due  diligence  in  linking  third  parties 
to  their  Web  sites.  Linking  can  pose 
a  risk  to  an  institution's  reputation, 
particularly  if  the  third  party  offers 
lower  levels  of  security  and  privacy, 
said  the  Office  of  the  Comptroller  of 
the  Currency  in  a  bulletin  released 
last  week.  The  comptroller  advised 
banks  to  examine  those  relation¬ 
ships  and  to  ensure  that  customers 
aren't  confused  about  the  links. 


IP  Network  to  Monitor 
Power  Grid  in  14  States 


Goal  is  to  pinpoint  problems  and  make 
corrections  before  electrical  outages  occur 


BY  JAMES  COPE 

new  organization 
directed  by  fed¬ 
eral  authorities  to 
spot  trouble  and 
ensure  competi¬ 
tive  access  to  electrical  trans¬ 
mission  grids  will  soon  deploy 
an  IP  network  to  monitor  and 
control  the  transmission  of 
electrical  power  from  indepen¬ 
dent  power  producers  through¬ 
out  a  14-state  area  in  the  Mid¬ 
west. 

The  Carmel,  Ind.-based  or¬ 
ganization  is  Midwest  ISO,  an 
independent  systems  operator 
(ISO)  that  arose  from  a  1999 
Federal  Energy  Regulatory 
Commission  order  aimed  at 
discouraging  electrical  utilities 
from  blocking  independent 
power  producers  from  access¬ 


ing  transmission  grids.  Similar 
organizations  have  been 
formed  in  other  parts  of  the 
country,  including  ISO  New 
England  Inc.  in  Holyoke,  Mass. 

Michael  Gahagan,  Midwest 
ISO’s  CIO  and  chief  strategy  of¬ 
ficer,  said  the  IP  network,  which 
is  being  built  and  managed  by 
AT&T  Solutions  in  Florham 
Park,  N.J.,  will  be  the  linchpin  of 
the  ISO’s  operations. 


The  network  command  cen¬ 
ter  in  Carmel  will  be  connect¬ 
ed  with  the  control  centers 
for  approximately  22  electrical 
utilities  in  the  Midwest  via 
AT&T’s  frame-relay  cloud.  Ex¬ 
pected  to  go  live  in  the  middle 
of  next  month,  the  network 
should  enable  operations  per¬ 
sonnel  at  the  ISO  to  look  into 
regional  transmission  grids  at 
a  substation  level,  spot  poten¬ 
tial  trouble  and  make  correc¬ 
tions  before  an  outage  occurs, 
said  Gahagan. 

An  example  of  a  typical 
problem,  he  said,  would  be  a 


THE  MIDWEST  ISO  facility  in  Carmel,  Ind.,  will  monitor  operations  at 
approximately  22  electrical  utilities  in  the  Midwest. 


Digex  CEO  Gives  Download  on  Hosting  Nets 


Hosting  is  complex 
issue,  says  Shull 

Mark  Shull  is  president  and  CEO 
of  Digex  Inc.,  which  hosts  and 
manages  networks  for  large 
corporations  such  as  Ford  Mo¬ 
tor  Co.  and  New  York-based 
Colgate-Palmolive  Co.  And  he 
has  a  new  boss;  on  July  1, 
WorldCom  Inc.  took  a  55% 
stake  in  Laurel,  Md.-based 
Digex.  Computer-world’s  James 
Cope  spoke  with  Shull  last 
week  about  some  of  the  trends 
in  network  outsourcing. 

Q:  What’s  the  major  challenge  con¬ 
fronting  managed  hosting  provid¬ 
ers  and  application  outsourcers? 

A:  From  the  provider’s  per¬ 
spective,  the  most  difficult  part 
is  the  sheer  complexity.  You 


have  large  numbers  of  services 
that  you  provide  in  a  mission- 
critical  way.  Any  one  compo¬ 
nent  may  have  99.9%  relia¬ 
bility.  But  you  add  multiple 
components,  and  the 
total  system  is  going 
to  be  less  reliable 
than  any  single  appli¬ 
cation. 

A  lot  of  what  we’re 
doing  is  new.  Up 
until  now,  most  of 
what  people  were 
doing  was  market 
info  and  basic  con¬ 
sumer  sales.  Now  it 
involves  more  impor¬ 
tant  functions,  such  as  supply 
chain  management  and  work¬ 
ing  with  partners.  We’re  now 
seeing  core  business  applica¬ 
tions  [being  outsourced]. 

Q:  How  about  from  the  enterprise 


customer’s  point  of  view? 

A:  There’s  grave  concern  about 
loss  of  visibility  and  loss 
of  control  [among  corporate 
IT  people],  particularly  with 
those  who  have  to 
manage  the  business 
applications.  We  have 
built  a  lot  of  automa¬ 
tion  around  deploy¬ 
ing  and  managing 
[equipment  and  ap¬ 
plications]  ...  in  a 
way  that  all  of 
the  management  data 
produced  is  generat¬ 
ed  in  XML,  in  real 
time.  We  push  [that 
information]  to  customers. 

Q:  What  types  of  companies  are  at¬ 
tracted  to  the  network  outsourcing 
model? 

A:  Because  we’ve  only  focused 
on  managed  hosting  from  the 


SHULL:  Data  is 
pushed  to  cus¬ 
tomers  in  real  time. 
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recurring  bottleneck  on  a 
major  transmission  route  be¬ 
tween,  say,  Minnesota  and  Wis¬ 
consin.  Should  more  power  be 
required  on  either  side  of  the 
bottleneck,  the  sensors  at  sites 
on  the  network  would  immedi¬ 
ately  alert  personnel  in  the  ISO 
command  center  of  a  potential 
problem,  Gahagan  explained. 
Console  operators  could  then 
issue  orders  over  the  network 
to  ready  another  generator  to 
pick  up  the  slack,  he  said. 

Currently  operating  in  test 
mode,  the  ISO  network  is 
monitoring  100,000  different 
points  on  the  regional  trans¬ 
mission  grid  every  60  seconds, 
said  Gahagan,  who  declined  to 
say  how  much  the  ISO  network 
costs. 

Still,  it  isn’t  feasible  to  moni¬ 
tor  every  substation  in  the  re¬ 
gion,  he  said. 

To  compensate,  the  ISO  will 
use  computer  simulation  tools 
to  paint  a  probable  picture  of 
areas  on  the  grid  that  aren’t  di¬ 
rectly  observable.  The  simula¬ 
tion  tools  are  based  on  algo¬ 
rithms  previously  developed  by 
NASA  scientists  to  pinpoint  the 
position  of  lunar  landing  mod¬ 
ules  during  Apollo  space  mis¬ 
sions,  said  Gahagan.  I 


beginning,  [customers]  have 
been  overwhelmingly  large  en¬ 
terprises. 

One  reason  they  decide  to 
outsource  is  because  network 
technology  is  actually  growing 
more  complex  faster.  And 
there’s  the  speed  to  market.  We 
already  have  the  infrastruc¬ 
ture,  the  application  services 
and  the  people  to  manage 
them. 

Q:  Many  providers  have  cut  their 
staff  in  recent  months.  What  about 
Digex? 

A:  We  have  been  increasing 
personnel  —  not  at  the  same 
rate  as  last  year,  but  increasing. 
On  the  sales  front,  a  lot  of  our 
people  have  been  coming  from 
Web  hosting  providers.  Our 
technical  people  have  been 
coming  from  multiple  places 
—  from  systems  integrators 
and  from  other  technology 
companies  —  because  there 
aren’t  really  that  many  man¬ 
aged  hosting  providers.  I 
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EXPANDABILITY  IS  FREEDOM 


Yipes,  the  defining  provider  of  optical  IP  services,  will  change  the  way  you  look  at  bandwidth. 
Our  gigabit  IP-over-fiber  network  lets  you  choose  the  bandwidth  that’s  just  right  for  your  business. 
With  up  to  1  Gbps  in  1  Mbps  increments,  you  get  the  power  you  need,  right  when  you  need  it. 
And  since  the  Yipes  network  is  IP  and  Ethernet  throughout,  you  won’t  need  any  new  equipment 
to  tap  into  its  robust  bandwidth.  Scalable,  secure  and  super  fast.  That’s  the  Yipes  network. 
Want  to  see  some  flag-waving?  Check  out  www.yipes.com  or  call  877-740-6600. 
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First  Data  Overhauling 
Backbone  for  E-Payments 

Firm  undertakes  IT  upgrade  in  bid  for 
B2C,  B2B  transaction-processing  markets 


BY  MICHAEL  MEEHAN 

IRST  DATA  CORP. 

sprang  to  life  in  1971 
as  a  backbone  for 
what  was  then  an 
emerging  credit  card 
industry.  Now  the  Denver- 
based  payment  services  giant 
is  in  the  throes  of  a  massive  IT 
upgrade  that’s  aimed  at  help¬ 
ing  it  retain  its  market-leading 
position  as  the  industry  con¬ 
tinues  its  shift  to  electronic 
formats. 

First  Data  Resources,  a  divi¬ 
sion  of  First  Data,  is  the  world’s 
largest  third-party  transaction 
processor,  with  more  than  1,400 
corporate  issuers  and  311  mil¬ 
lion  accounts  in  its  portfolio. 
Last  year,  the  division  brought 
in  ClO-for-hire  Charles  Feld  to 
shepherd  the  company  into  the 
e-commerce  era. 

Feld,  who  was  pre¬ 
viously  CIO  at  Frito- 
Lay  Cos.  and  Delta 
Air  Lines  Inc.,  is  can¬ 
did  about  First  Data’s 
challenges  and  the 
opportunity  for  it  to 
become  a  central  hub 
supporting  all  sorts 
of  business-to-con- 
sumer  and  business- 
to-business  online 
transactions. 

“I  don’t  know  when,  but 
cash  and  checks  will  be  as  dis¬ 
tant  a  memory  as  wampum  at 
some  point,”  Feld  said.  “Mon¬ 
ey’s  changing,  forever.  We 
want  to  be  the  payment  and 
transport  for  whoever  wants 
to  transact  business.”  That 
includes  processing  every¬ 
thing  from  consumer  credit 
card  purchases  to  multimil¬ 
lion  dollar  business-to-busi- 
ness  transactions. 

Feld  has  focused  on  sep¬ 
arating  data  from  its  transport. 
Wireless  purchases,  sales  made 


through  online  exchanges  and 
credit  card  transactions  will  be 
wrapped  in  uniform  messaging 
protocols  and  routed  through  a 
layer  of  Unix  machines,  which 
will  be  used  to  help  make  deci¬ 
sions  about  how  to  handle  that 
data.  Then  the  information 
will  be  routed  back  to  a  cluster 
of  IBM  OS/390  mainframes, 
which  will  process  the  trans¬ 
actions. 

Market-Driven 

To  a  degree,  First  Data  didn’t 
choose  its  business  strategy. 

Corporations  are  busy  re¬ 
tooling  their  back-office  envi¬ 
ronments  to  handle  more  of 
their  sales  and  purchases  in 
electronic  formats.  Gartner  Inc. 
in  Stamford,  Conn.,  estimates 
that  online  business-to-busi- 
ness  transactions  to¬ 
taled  $434  billion  last 
year  and  will  jump  to 
$6  trillion  by  2004. 

Recognizing  that 
someone  has  to  move 
that  money,  First 
Data  spent  $40  mil¬ 
lion  last  year  to  beef 
up  its  IT  operations. 
Feld  said  the  compa¬ 
ny  plans  to  spend 
between  3%  and  5% 
of  its  card  revenue 
this  year  to  build  on  that  effort. 
A  First  Data  spokeswoman 
said  that  amounts  to  an  addi¬ 
tional  $40  million  investment 
in  the  IT  infrastructure  up¬ 
grade  this  year. 

“There’s  some  serious  heavy 
lifting  involved  in  that,”  Feld 
noted.  “You’re  going  to  run 
into  problems  if  the  buy  moves 
at  Internet  speed  but  the  back 
end  moves  at  rail  speed.” 

According  to  analysts,  on¬ 
line  business-to-busincss  trans¬ 
actions  are  often  paid  for  with 
corporate  purchasing  cards  is¬ 


sued  by  suppliers.  That  kind  of 
money-handling  limits  the  size 
and  speed  of  electronic  trans¬ 
actions. 

“I  think  it’s  fair  to  say  elec¬ 
tronic  payments  have  not  been 
ready  for  prime  time,”  said 
Laurie  Orlov,  an  analyst  at  For¬ 
rester  Research  Inc.  in  Cam¬ 
bridge,  Mass. 

Orlov  cited  the  inability  of 
corporate  accounts  payable 
systems  to  process  business- 
to-business  transactions  as  the 
principal  bottleneck,  rather 
than  the  readiness  of  the  bank¬ 
ing  and  financial-processing 
world. 

Still,  she  noted  that  both 
sides  need  to  progress  with 
their  respective  IT  infrastruc¬ 
tures  to  streamline  the  process. 

Feld  said  he  expects  the 
work  on  First  Data’s  database 
and  Unix  wrapper  to  take  an¬ 
other  12  to  18  months.  The 
move  is  expected  to  help  the 
company  process  whatever 
types  of  transactional  data  its 
customers  send.  Once  that 
effort  is  completed,  the  compa¬ 
ny  will  begin  to  build  client¬ 
facing  applications. 

Leveraging  Technology 

First  Data  isn’t  alone  in  try¬ 
ing  to  carve  out  a  position  in 
the  fast-evolving  e-payments 
universe. 

For  instance,  Dutch  credit 
insurance  company  NCM  NV 
has  fathered  a  risk  manage¬ 
ment  services  firm  for  online 
and  off-line  trade  called  eCred- 
ible  Ltd. 

“Everyone  forgot  that  e-com¬ 
merce  isn’t  a  brand-new  way 
of  doing  business,”  said  Jurgen 
Leijdekker,  U.S.  managing  di¬ 
rector  at  eCredible.  “You  still 
have  to  get  paid  at  the  end  of 
the  transaction,  and  you  need 
to  have  the  same  support  for 
electronic  payments  as  you  did 
for  paper  ones.” 

Meanwhile,  Italy’s  largest 
automated  interbank  payment 
organization,  SIA  SpA,  has 


contracted  with  Syntrex  in 
Padova,  Italy,  to  create  a  cen¬ 
tralized  method  of  handling  all 
of  its  transactions. 

Augusto  Astesiano,  SIA’s 
e-business  and  security  sys¬ 
tems  director,  said  that  most  of 
his  company’s  customers  will 
be  working  on  TCP/IP  net¬ 
works  within  two  years  but 
that  some  established  custo¬ 
mers  will  still  prefer  to  send  in¬ 
formation  using  the  X.25  trans¬ 
action  protocols  that  the  Soci¬ 
ety  for  Worldwide  Interbank 
Financial  Telecommunications’ 
network  uses. 

“You  have  to  be  ready  for 
any  type  of  data,”  Astesiano 
said. 

Bob  McCullough,  an  analyst 


I  think  it’s 
fair  to  say 
electronic  pay¬ 
ments  have  not 
been  ready  for 
prime  time. 
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at  Framingham,  Mass.-based 
Hurwitz  Group  Inc.,  said  the 
key  for  money-changers  will 
be  their  ability  to  function  in  a 
technologically  heterogeneous 
world. 

“There’s  going  to  be  a  lot  of 
different  ways  to  transfer  mon¬ 
ey,  and  someone’s  going  to  fig¬ 
ure  out  how  to  do  it  if  they 
don’t,”  he  said.  I 


Inside  First  Data’s  Conversion 


Charles  Feld  has  spent  the  past 
decade  as  a  ClO-for-hire  at  com¬ 
panies  such  as  Burlington  North¬ 
ern  Sante  Fe  Railroad  and  Delta 
Air  Lines. 

Now.  as  CIO  of  First  Data's 
First  Data  Resources  division,  Feld 
is  looking  to  update  yet  another 
legacy-system-dependent  org¬ 
anization. 

Here  are  some  of  the  keys  to 
the  major  IT  overhaul  he’s  current¬ 
ly  driving: 

■  Make  applications  easy  to  con¬ 
figure  so  programmers  aren’t  re¬ 
quired  to  act  each  time  changes 
need  to  be  made. 

■  Standardize  payments  into  a 
generic  format. 

■  Provide  a  packet  of  interfaces 
and  rules  options  to  credit-issuing 
companies  reliant  upon  First 
Data's  database,  so  they  can 
change  the  rules  and  parameters 
on  their  own  systems,  as  well  as 
run  their  own  customer  relation¬ 
ship  management  applications 
based  on  the  database. 

■  Use  IBM’s  MQSeries  middle¬ 
ware  and  Palo  Alto,  Calif.-based 
Tlbco  Software  Inc.’s  infrastruc¬ 
ture  software  to  shuttle  data  from 


client-facing  Unix  machines  back 
to  IBM  OS/390  mainframes. 

■  Leverage  existing  technology, 
such  as  IBM’s  DB2  and  Web¬ 
Sphere  middleware,  instead  of 
tapping  into  new  technologies. 
"Everything  we  have  is  a  firm 
piece  of  stuff  that  I’ve  worked 
with,  or  the  people  at  First  Data 
have  worked  with,”  Feld  said. 
“There's  no  unknowns.  We 
know  exactly  how  that  stuff 
works.” 

■  Orchestrate  the  overhaul  using 
a  small  management  team,  and 
take  advantage  of  institutional 
knowledge.  “I'm  a  firm  believer 
that  30  years  of  knowledge  is 
worth  something,"  said  Feld. 
“That’s  a  lot  to  rebuild,  if  you 
ignore  it.” 

■  Set  up  governance  process¬ 
es  on  technology  and  business 
sides  to  ensure  that  changes 
are  properly  implemented  and 
adopted.  “Most  IT  organizations 
are  pretty  weak  on  governance." 
Feld  said.  “What’s  the  opposite  of 
governance?  I  guess  it’s  lawless¬ 
ness.  Anyway,  that’s  what  we're 
trying  to  avoid.” 

-  Michael  Meehan 


FELD:  “Cash  and 
checks  will  be  as 
distant  a  memory 
as  wampum.” 
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New  Software  Helps  Baseball  Scouts  Track  Prospects 


laptop  instead  of  scribbling  on  hotel 
notepaper. 

From  the  laptop,  the  data  will  be 
shipped  to  the  front  office  via  the  Inter- 


BY  JENNIFER  DlSABATINO 

Somewhere,  an  old,  wizened  baseball 
scout  who  never  before  touched  a  com¬ 
puter  is  typing  player  statistics  into  his 
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net  for  consideration  by  coaches  and 
the  general  manager,  instead  of  being 
faxed  to  the  IT  department,  where 
techies  try  to  decipher  the  handwriting 
and  type  it  into  an  AS/400. 

“They  surprised  us,”  Vince  Crossley, 
network  administrator  for  the  Los  An¬ 
geles  Dodgers,  said  of  the  scouts.  “They 
seemed  to  be  able  to  adjust  to  this  very, 
very  well.  We  were  expecting  a  lot  of 
training  and  user  issues  and  resistance. 
Some  of  the  scouts  had  no  computer  ex¬ 
perience  and  are  senior  citizens.” 

Seven  Major  League  Baseball  teams 
use  IBM’s  Prospect  Reporting  and  Or¬ 
ganizational  Solution  (PROS),  collabo¬ 
ration  software  that  was  specially  built 
for  baseball  scouts  on  Notes  and  Domi¬ 
no  from  IBM  subsidiary  Lotus  Develop¬ 
ment  Corp.  in  Cambridge,  Mass. 

The  Colorado  Rockies,  Kansas  City 
Royals,  New  York  Mets,  Pittsburgh  Pi¬ 
rates,  Texas  Rangers  and  Toronto  Blue 
Jays  also  use  the  software.  A  few  others 
are  in  line  to  start  next  year. 

Tony  Thallman,  product  manager  at 
IBM,  said  PROS  is  basically  a  Notes 
database  with  special  forms  created  for 
scouts.  The  forms  include  space  to  list 


NHL  Scores 
With  Database 
On  Draft  Day 

BY  JENNIFER  DlSABATINO 

This  year’s  top  pick  in  the  National 
Hockey  League  entry  draft,  Ilya  Ko¬ 
valchuk,  is  from  Russia.  But  for  teams 
and  reporters,  getting  his  background 
information  wasn’t  a  problem. 

NHL  officials  shaved  hours  off  the 
process  of  selecting  players  in  the  draft 
by  using  a  database  accessible  to  teams, 
scouts  and  even  journalists.  The  teams 
also  save  time  by  using  e-mail  to  submit 
the  names  of  draft  picks,  eliminating 
the  need  for  runners  to  carry  messages 
to  and  from  team  tables. 

Built  on  Notes  5  and  Domino  collabo¬ 
rative  technologies  from  Lotus  Devel¬ 
opment  Corp.  in  Cambridge,  Mass.,  the 
NHL  database  contains  information 
about  all  prospective  draft  picks.  Busi¬ 
ness  rules  built  into  the  software  allow 
those  vetted  by  NHL  scouts  to  automat¬ 
ically  pass  on  to  the  next  phase  of  the 
workflow  process.  The  playing  histo- 


the  basics  on  a  player,  like  his  pitch 
speed,  whether  he’s  left-handed  or 
right-handed  or  how  fast  he  runs  to  first 
base.  IBM  custom-configures  the  forms 
for  each  team  with  40  to  50  fields,  and 
the  data  in  those  fields  is  measured  and 
calculated  to  give  each  player  a  score. 

“It  saved  us  time,  so  we  can  support 
other  departments.  Everyone  from  the 
upper  management  down  to  the  scouts 
—  they  all  love  it,”  said  Tony  Miranda, 
IT  manager  of  the  Blue  Jays.  Scouts  for 
the  Blue  Jays  used  to  send  in  documents 
through  an  old  DOS-based  system,  and 
IT  staff  would  have  to  manually  clean 
up  the  data  before  sending  it  to  the 
front  office. 

Jim  Edwards,  senior  director  of  infor¬ 
mation  systems  for  the  Royals,  said  he 
and  others  in  the  IT  group  used  to  have 
to  type  often-illegible  faxes  into  an 
AS/400.  In  addition  to  using  the  soft¬ 
ware  to  create  reports,  he’s  able  to  send 
reports  out  via  Notes  because,  unlike 
the  Dodgers  and  the  Blue  Jays,  the  Roy¬ 
als  use  Notes  for  corporate  messaging 
and  have  tied  it  to  the  PROS  software. 

Edwards,  Miranda  and  Crossley  said 
they  would  like  to  set  up  virtual  private 
networks  so  their  scouts  can  access  the 
PROS  system  from  any  Internet-con¬ 
nected  machine.  I 


ries  of  those  who  haven’t  been  vetted 
are  compiled  from  scouting  reports  and 
local  news  coverage.  NHL  officials  re¬ 
view  that  material  before  they  approve 
the  draft  pick. 

The  draft  took  place  last  last  month 
at  the  home  rink  for  the  Florida  Pan¬ 
thers  in  Sunrise,  Fla.  Some  60  worksta¬ 
tions,  connected  to  two  Notes  servers, 
were  available  for  the  league’s  30  teams, 
NHL  officials  and  journalists. 

Part  of  what  Peter  Del  Giacco,  vice 
president  of  IT  for  the  NHL,  has  done 
with  Notes  and  Domino  is  to  automate 
the  workflow  process  of  the  draft.  Now, 
a  team  sends  a  request  for  a  player  as  a 
draft  pick  in  a  Notes  e-mail  message. 
That  message  is  automatically  routed  to 
the  central  scouting  desk.  Requests  for 
preapproved  players  are  automatically 
forwarded  to  the  central  registry  desk. 
If  approved  there  by  NHL  officials,  the 
name  goes  to  the  podium,  where  there 
is  also  a  workstation,  and  NHL  officials 
post  the  name  on  a  large  display  board. 

“Teams  can  run  various  types  of  re¬ 
ports.  They  don’t  have  all  day  to  make 
these  decisions,”  Del  Giacco  said.  “We 
also  wanted  to  generate  something  that 
was  point,  click  —  fairly  easy  to  use.  We 
also  didn’t  want  to  take  six  months  to 
write  it.”  This  was  the  fourth  year  using 
the  system  for  the  draft.  I 
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IBM  Completes  Buy 
Of  Informix  Database 

IBM  last  week  completed  its  SI  bil¬ 
lion  acquisition  of  Westboro,  Mass.- 
based  Informix  Corp.’s  database 
operations.  About  2,500  Informix 
employees  are  shifting  to  IBM  as 
part  of  the  deal,  which  was  agreed 
to  earlier  this  year.  Plans  call  for 
key  technologies  such  as  Informix’s 
analytical  tools  to  be  incorporated 
into  future  versions  of  IBM’s  flag¬ 
ship  DB2  Universal  Database.  IBM 
said  it  will  continue  to  sell  Infor¬ 
mix’s  existing  database  products, 
but  DB2  will  be  the  foundation  for 
future  offerings. 

IBM  to  Cut  1,000 
Global  Services  Jobs 

IBM  will  lay  off  approximately  1,000 
employees  in  its  IBM  Global  Ser¬ 
vices  division  as  part  of  an  effort  to 
align  the  skills  of  its  workforce  with 
demand  from  customers,  a  compa¬ 
ny  spokeswoman  confirmed  last 
week.  The  affected  employees  will 
have  30  days  to  seek  employment 
in  other  IBM  business  units  before 
they’re  laid  off,  she  said,  adding 
that  the  layoffs  will  all  take  place  in 
the  U.S.  The  move  echoes  a  similar 
step  taken  by  the  company  in  May 
of  last  year,  when  it  announced  a 
plan  to  eliminate  about  1,000  em¬ 
ployees  from  the  same  division. 


Short  Takes 

SAPIENT  CORP.  is  laying  off  14%  of 
its  staff,  or  390  workers,  in  the  sec¬ 
ond  round  of  cutbacks  at  the  Cam¬ 
bridge,  Mass.-based  Internet  con¬ 
sulting  firm  this  year. ...  To  cut 
costs,  HEWLETT-PACKARD  CO.  is 
asking  its  88,500  employees  world¬ 
wide  to  volunteer  to  take  either 
eight  vacation  days  off  without  pay 
or  a  10%  pay  cut.  Employees  may 
opt  instead  to  take  four  vacation 
days  without  pay  and  a  5%  pay  cut. 
. . .  New  York-based  TMP  WORLD¬ 
WIDE  INC.,  the  parent  company  of 
online  job-hunting  site  MONSTER.- 
COM,  is  buying  rival  HOTJOBS.COM 
LTcf.,  also  in  New  York,  for  approxi¬ 
mately  $460  million. 


NEWSINDUSTRY 

B2B  Vendors  Suffer 
Another  Bad  Quarter 


Commerce  One,  others  miss  targets 


BY  MICHAEL  MEEHAN 

SPRING  THAW  did¬ 
n’t  follow  a  harsh 
winter  for  B2B 
software  vendors. 
Many  companies 
last  week  reported  that  their 
revenues  are  still  plummeting. 

Commerce  One  Inc.,  i2  Tech¬ 
nologies  Inc.  and  BroadVision 
Inc.  all  announced  that  they 
expect  quarter-to-quarter  rev¬ 
enues  to  tail  off  at  least  30%. 

It  marks  the  second  straight 
quarterly  regression  for  these 
companies.  Analysts  said  that 
they  believe  the  slide  will  con¬ 
tinue  and  that  it  shows  how 
companies  are  investing  in  IT 
more  conservatively. 

Kimberly  Knickle,  an  analyst 
at  Boston-based  AMR  Research 
Inc.,  said  that  implementations 
of  software  for  buying  and  sell¬ 
ing  goods  electronically  can  be 
lengthy  and  involved  projects, 
costing  $500,000  or  more.  “I’m 
not  sure  companies  are  willing 
to  take  that  on  right  now,”  she 
said.  “Nobody  wants  to  be  in 
charge  of  the  project  that 
keeps  growing.” 

It  has  also  become  common 
for  IT  projects  to  require  a 
higher  level  of  executive  ap¬ 
proval  than  they  once  did, 
according  to  Laurie  Orlov,  an 
analyst  at  Forrester  Research 
Inc.  in  Cambridge,  Mass.  B2B 
procurement  has  also  lost  some 
of  its  luster,  she  added. 

“The  [enterprise  resource 
planning]  guys  are  savvy  about 
procurement  now,”  Orlov  said. 
“You  can  get  procurement 
from  PeopleSoft,  SAP  and  Ora¬ 
cle  now,  and  it  works,  unlike 
some  of  their  earlier  releases. 
For  the  B2B  vendors,  that 
means  it’s  not  differentiation 
through  newness  anymore.” 

SAP  AG  actually  rushed  to 
the  aid  of  Pleasanton,  Calif.- 
based  Commerce  One  about 
two  weeks  ago,  with  a  $225  mil¬ 


lion  investment  worth  approx¬ 
imately  20%  of  Commerce 
One’s  stock.  Many  analysts 
viewed  the  investment  as  a  ma¬ 
jor  step  toward  SAP’s  eventual 
purchase  of  its  smaller  partner. 

“Long  term,  the  marriage 
will  take  place,  but  probably 
just  for  the  technology  and 
nothing  else,”  said  Hari  Srini- 
vasan,  an  analyst  at  Banc  of 
America  LLC  in  San  Francisco. 


Earnings  warnings, 
layoffs  hit  sector 

BY  JAIKUMAR  VIJAYAN 

Computer  security  firms, 
which  until  recently  seemed 
impervious  to  the  broad  slow¬ 
down  in  IT  spending,  are  final¬ 
ly  beginning  to  feel  the  pinch. 

Last  week,  Atlanta-based  In¬ 
ternet  Security  Systems  Inc. 
(ISS)  announced  that  its  sec¬ 
ond-quarter  earnings  would 
range  from  a  loss  of  2  cents  per 
share  to  break-even,  on  rev¬ 
enue  of  $50  million  to  $52  mil¬ 
lion.  Analysts  had  expected  the 
intrusion-detection  vendor  to 
make  a  profit  of  15  cents 
per  share  on  revenue  of  $65 
million. 

Network  security  vendor 
Check  Point  Software  Tech¬ 
nologies  Ltd.  in  Redwood  City, 
Calif.,  also  warned  investors 
last  week  that  while  its  rev¬ 
enue  would  be  up  sharply  from 
the  same  period  last  year,  it 
would  fall  slightly  below  ana¬ 
lysts’  expectations,  reaching 
about  $140  million. 

Both  companies  blamed  a 
slowdown  in  corporate  spend¬ 
ing  for  the  lowered  earnings 
forecasts. 


“It  doesn’t  look  like  there’s  a 
lot  of  revenues  to  be  had  from 
Commerce  One.” 

However,  in  a  conference 
call,  SAP  CEO  and  co-founder 
Hasso  Plattner  called  Com¬ 
merce  One’s  marketplace  soft¬ 
ware  a  key  in  SAP’s  attempts  to 
break  free  from  its  back-office 
supply  chain  moorings.  In  par¬ 
ticular,  he  said,  joint  develop¬ 
ment  efforts  with  Commerce 
One  would  help  SAP  gain  a 
foothold  in  private  procure¬ 
ment  exchanges  and  help  with 
B2B  integration. 


The  warnings  sent  both 
companies’  stock  prices  plum¬ 
meting  and  hammered  those  of 
other  computer  security  firms. 

ISS,  which  at  its  12-month 
peak  traded  at  more  than  $108 
per  share,  lost  more  than  40% 
of  its  value  on  July  3,  when 
it  dropped  to  just  over  $20.  On 
the  same  day,  Check  Point 
dropped  more  than  12  points  to 
a  little  over  $44,  well  short  of 
its  52-week  high  of  $118. 

Other  computer  security 
stocks  that  were  caught  in  last 
week’s  downdraft  included 
those  of  Network  Associates 
Inc.,  which  dropped  more  than 
6%;  RSA  Security  Inc.,  which 


Job  insecurity 

A  sampling  of  security  firms 
that  have  resorted  to  layoffs: 

Pilot  Network  Services  Inc.: 

Laid  off  all  its  workers  and 
suspended  normal  opera¬ 
tions  in  April 

724  Solutions  Inc.:  Cut  work¬ 
force  by  12%  last  month 

Entrust  Technologies  Inc.: 

Made  30%  cut  last  month 

F-Secure  Corp.:  Laid  off  95  of 
its  445  employees  in  April 


Security  Firms  Hit  Bumps 
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He  insisted  that  two  down 
quarters  in  a  slow  economy  is¬ 
n’t  reason  to  abandon  a  compa¬ 
ny  that  has  proved  to  be  a  valu¬ 
able  technological  partner.  “We 
make  a  major  investment  here 
because  we  see  a  huge  busi¬ 
ness  opportunity,”  Plattner  said. 

Redwood  City,  Calif.-based 
BroadVision  saw  its  revenue 
tumble  from  an  all-time  high  of 
$136.9  million  in  the  final  quar¬ 
ter  of  2000  to  $91.1  million  in 
the  first  quarter  of  2001,  and  to 
an  estimated  $54  million  to  $60 
million  last  quarter.  Likewise, 
Dallas-based  i2  saw  its  num¬ 
bers  drop  from  $357  million  in 
the  first  quarter  of  2001  to  an 
estimated  $235  million  to  $240 
million  this  past  quarter. 

Both  companies  said  they 
were  hurt  by  general  slowness 
in  the  economy.  I 


fell  nearly  8%;  and  Certicom 
Corp.,  which  declined  more 
than  5%  to  less  than  $3  per 
share,  well  below  its  52-week 
high  of  more  than  $47. 

The  earnings  warnings  — 
and  the  sell-off  that  followed 
—  show  that  the  security  sec¬ 
tor  isn’t  as  protected  from  the 
economic  slowdown  as  previ¬ 
ously  expected,  said  Charles 
Kolodgy,  an  analyst  at  IDC  in 
Framingham,  Mass.  Analysts 
once  argued  that  security 
spending  would  remain  rela¬ 
tively  untouched  because  of 
heightening  hacker  threats  and 
data  privacy  issues. 

“I  thought  the  security  sec¬ 
tor  would  hold  up  better  than 
some  of  the  other  areas,” 
Kolodgy  said.  Instead,  the  de¬ 
ferred  spending,  delayed  up¬ 
grades  and  canceled  projects 
that  have  affected  other  parts 
of  the  high-tech  industry  ap¬ 
pear  to  have  hurt  the  security 
sector  as  well,  he  said. 

For  example,  during  the  past 
several  weeks:  Hayward,  Calif.- 
based  Certicom,  which  sells 
security  software  to  wireless 
Internet  providers,  said  it 
would  cut  its  workforce  by 
30%;  Seattle-based  Watchguard 
Technologies  Inc.  laid  off  16% 
of  its  workforce;  and  shares 
of  U.K.-based  Baltimore  Tech¬ 
nologies  PLC  briefly  dropped 
to  less  than  $1  after  it  an¬ 
nounced  layoffs.  I 
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Knowledge  Quest 

Your  company’s  security  needs  are  as  unique  as  your 
fingerprints.  So  where  do  you  turn  for  the  exact  answers 
you  need?  You  talk  to  your  peers,  attend  conferences  (when 
travel  budgets  allow),  surf  the  media  in  print  and  online, 


listen  to  vendors  and  pundits,  test 
products  and  hold  your  breath  a  lot. 

One  big  reason  it’s  difficult  to  ex¬ 
hale:  Adequate  budgets  to  cover  your 
security  needs  are  rare.  Datamonitor, 
a  global  market  analysis  firm,  esti¬ 
mated  recently  that  the  total  cost  of 
online  security  breaches  to  U.S.  cor¬ 
porations  runs  to  $15  billion  annually. 

Yet  only  30%  have  implemented 
enough  protection,  and  half  of  those 
businesses  spend  less  than  5%  of 
their  total  IT  budgets  on  security. 

On  your  mental  checklist  of  “Se¬ 
curity  Things  to  Worry  About,”  the  topics  must 
move  around  quite  a  bit.  One  week,  it’s  a  virus 
rampage  affecting  e-mail  servers  nationwide; 
the  next,  it’s  another  revelation  about  the  hav¬ 
oc  vengeful  employees  can  wreak  on  internal 
networks.  If  you  had  to  name  your  No.  1  securi¬ 
ty  concern  a  month  from  today  —  with  ab¬ 
solute  certainty  —  you  probably  couldn’t. 

That  makes  your  information  needs  much 
more  dynamic  than  ever  before.  You  don’t  need 
a  random  smattering  of  interesting  articles 
about  IT  security  as  much  as  you  need  a  center 


of  knowledge  that  keeps  growing. 
That’s  why,  in  the  first  installment  of 
our  new  monthly  In  Depth  series  on 
enterprise  IT  topics  and  technolo¬ 
gies,  two-thirds  of  this  issue,  starting 
on  page  33,  is  devoted  to  an  explo¬ 
ration  of  the  risks  and  rewards  of  en¬ 
terprise  security.  More  important, 
the  online  parts  will  expand  into  a 
knowledge  center  worth  returning 
to  as  your  needs  change. 

For  example,  one  of  our  In  Depth 
print  stories  (“False  Alarms,”  page 
42)  probes  the  managerial  ups  and 
downs  of  working  with  intrusion-detection 
systems  (IDS).  The  companion  online-only 
component  supplies  IDS  product  data  plus  an 
expert  research  paper  about  some  inherent 
flaws  in  these  systems.  In  that  same  fashion, 
each  story  in  the  package  is  linked  to  a  richer 
set  of  dynamic  resources  online  at  Computer- 
world.com. 

In  future  installments,  we’ll  tackle  other  IT 
topics.  Let  us  know  what  you’d  like  to  see  in 
these  knowledge  centers.  We’ll  do  our  best  to 
help  you  learn  more  and  worry  less.  > 
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PIMM  FOX 

Want  to  Save  Some 
Money?  Automate 
Password  Resets 

HOW  MANY  applications  do  you 
support?  In  1995,  IT  departments 
supported  an  average  of  25  per 
user.  Now,  that  number  is  somewhere 
between  100  and  200.  The  cost  of  pur¬ 
chasing  those  apps  has  long  been  absorbed,  but 
ongoing  support  requirements  are  costly,  ubiqui¬ 
tous  and  cover  mundane  tasks. 

Indeed,  the  second  most  costly  request  to  an  IT 
help  desk  is  to  reset  a  pass¬ 
word  (about  $14  to  $28  a 
pop, according  to 
Gartner).  Six  years  ago, 
about  25%  of  help  desk 
calls  were  about  pass¬ 
words,  and  having  a  single 
password  and  user  ID  (or 
single  sign-on)  for  all  ap¬ 
plications  was  the  Holy 
Grail. 

Today,  password  resets 
account  for  only  19%  of 
help  desk  calls,  but  that’s 
still  the  second  highest  re¬ 
quest  after  those  for  more  RAM  to  run  popular 
programs  —  and  single  sign-on  still  hasn’t  solved 
the  password  reset  problem. 

Nevertheless,  improving  the  password  reset 
function  can  save  IT  much-needed  money  at  a 
time  when  IT  budgets  are  under  siege. 

Unfortunately,  there  have  been  two  culprits 
holding  back  change. 

The  first  involves  organizational  risk  manage¬ 
ment.  Kris  Brittain,  research  director  at  Gartner, 
says  she  recently  visited  a  financial  services  orga¬ 
nization  that  was  so  concerned  about  a  possible 
breach  of  security  that  it  changed  the  frequency 
of  password  resets  from  every  90  days  to  every  30 
days.  In  addition,  you  couldn’t  choose  a  previous¬ 
ly  used  password  for  at  least  six  months.  “Calls  to 
the  help  desk  for  password  resets  jumped  50%,” 
Brittain  says,  and  employees  routinely  used  sticky 
notes  on  the  fronts  of  their  monitors  to  remember 
their  passwords. 

How  secure  is  that? 

Clearly,  a  sane  password  policy  must  take  into 
account  that  many  users  have  a  corporate  LAN 
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identification  and  password,  passwords  for  a  vari¬ 
ety  of  Unix  machines  and  a  database  password. 

Better  to  place  your  risk-management  assess¬ 
ment  in  the  context  of  IT  support  by  determining 
how  much  it  will  cost  if,  say,  a  quarter  of  your  em¬ 
ployees  start  calling  the  help  desk  to  reset  their 
passwords. 

The  second  culprit  is  the  lack  of  an  appropriate 
technology  to  maintain  password  security  while 
giving  users  the  tools  to  self-select  and  reset  pass¬ 
words.  But  several  technologies  are  removing  this 
stumbling  block. 

For  example,  Support.com  in  Redwood  City, 
Calif.,  has  integrated  P-Synch  password  manage¬ 
ment  software  into  its  support  automation  offer¬ 
ing.  That’s  because  “it’s  a  quick  and  compelling 
return  on  investment  for  companies  to  slash  the 
amount  of  time  a  help  desk  spends  resetting  pass¬ 
words,”  says  Gary  Zilk,  product  marketing  man¬ 
ager  at  Support.com. 

So,  don’t  hesitate;  automate.  And  don’t  forget 
your  password.  After  all,  no  one  minds  safe  cost 
savings.  I 


DAVID  FOOTE 

Companies  Need 
Security  Pros  With 
More  Varied  Skills 

COMPANIES  THINK  about  their  se¬ 
curity  practices  a  lot  like  we  think 
about  going  to  the  dentist.  We 
have  to  go,  but  we  don’t  want  to;  we’ll 
put  off  painful  yet  necessary  gum 
surgery  on  the  gamble  that  our  teeth  won’t  one 
day  fall  out.  But  then  we  see  someone  with  no 

teeth  and  become  fright¬ 
ened  enough  to  schedule 
an  appointment.  And  floss¬ 
ing  is  not  unlike  changing 
our  user  passwords:  We’re 
supposed  to  do  it  regularly, 
and  it  certainly  makes 
good  sense,  but . . . 

Corporate  security  is  at  a 
crossroads.  Companies 
must  stop  fiddling  around 
and  take  a  hard  line  on 
what’s  negotiable  and  non- 
negotiable  for  protecting 
their  most  valuable  assets. 
Amid  all  the  latest  news 
about  privacy,  hacked  net¬ 
works  and  virulent  electronic  “love  letters,”  a  more 
interesting  story  is  what’s  been  happening  in  secu¬ 
rity-related  employment.  It  has  one  of  the  widest 
supply-and-demand  gaps  of  any  IT  job  category: 
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Employers  report  vacancy  rates  as  high  as  90%. 

But  here’s  the  worst  part:  Employers  aren’t  real¬ 
ly  sure  what  they  should  be  looking  for  in  hiring 
security  professionals.  Meanwhile,  Rome  burns. 

While  knowledge  of  the  technical  side  of  secu¬ 
rity  is  obviously  a  big  factor  in  filling  these  posi¬ 
tions,  here  are  equally  critical  success  factors  in 
both  high-  and  low-level  security  jobs:  being 
adept  at  corporate  politics;  possessing  business 
skills  and  aptitudes;  having  good  relationship 
management  skills;  and  being  able  to  market,  sell 
and  negotiate  outcomes.  That’s  because  we  des¬ 
perately  need  to  motivate  managers  to  take  on  se¬ 
curity  with  the  same  vigor  they  reserve  for,  say, 
new  product  development.  You  can’t  do  that  with 
a  bunch  of  techies  running  security,  which  is  the 
case  in  many  places. 

Security  professionals  will  always  need  to  mas¬ 
ter  newer  technologies  for  protecting  IT  systems. 
But  they’re  under  increasing  pressure  to  under¬ 
stand  their  company’s  entire  business  and  pin¬ 
point  the  security  breaches  that  are  most  threat¬ 
ening  to  the  bottom  line. 

In  the  next  few  years,  security  managers  will 
need  to  focus  on  complying  with  new  security 
and  privacy  regulations  in  health  care  and  fi¬ 
nance;  developing  stronger  user-awareness 
policies;  addressing  a  bigger  basket  of  security 
issues,  especially  the  growth  of  wireless  access; 
running  business-to-business  exchanges;  and 


defining  the  role  of  application  service  providers. 

Companies  should  be  recruiting  a  breed  of  se¬ 
curity  professional  who  possesses  softer  skills,  in¬ 
cluding  a  positive  attitude,  diplomacy,  patience, 
attention  to  detail,  tenacious  abstract  problem¬ 
solving  ability  and  a  strong  will.  This  will  help 
them  gain  visibility  and  acceptance  in  selling 
hard-line  ideas. 

As  for  technical  areas,  security  pros  now  need 
network  engineering  and  operations  skills,  re¬ 
gardless  of  their  specialization.  New  security 
niches  —  forensics  and  intrusion  detection,  for 
example  —  are  hot,  and  having  a  niche  certifica¬ 
tion  is  desirable. 

But  employers  must  scrutinize  job  candidates 
for  how  they  work  with  others,  on  teams  and  with 
customers,  since  that’s  important  in  cutting 
through  resistance  and  raising  security  mind 
share.  And  why  shouldn’t  they  hire  reformed 
hackers,  who  have  pure  tech  skills,  tenacity  and 
creativity?  Casting  a  wider  net  will  narrow  the  se¬ 
curity  employment  gap  and  update  the  function. 

Corporate  debates  on  policies  relating  to  secu¬ 
rity  standards,  user  awareness,  remote/wireless 
access,  acceptable  authentication  methods,  risk 
management,  privacy  trade-offs  and  outsourcing 
need  expediting.  This  will  be  done  only  with  a 
more  astute,  hands-on  security  team  that  speaks 
to  the  business  persuasively,  knows  how  to  fi¬ 
nesse  a  corporate  agenda  and  has  the  chops.  I 


READERS’ LETTERS 


TOO  Is  More  Than  a  Financial  Benchmark 


Thanks  to  Jaiku- 
mar  Vijayan  for  at¬ 
tempting  to  move 
the  image  of  total  cost  of 
ownership  (TCO)  past 
that  of  a  financial  bench¬ 
mark  that  simply  gener¬ 
ates  a  dollar  figure  [The 
New  TCO  Metric,”  Busi¬ 
ness,  June  18].  CIOs  must 
be  able  to  quantify  the 
total  costs  juxtaposed 
against  level  of  service 
and  to  address  opportu¬ 
nities  and  savings  both  in 
the  business  operation 
and  the  IT  organization. 
This  requires  construct¬ 
ing  systems  and  process¬ 
es  for  tracking  current 
service  levels  and  end- 
user  satisfaction.  Only 
with  both  TCO  and  ser¬ 
vice  measurement  can 
the  CIO  shift  from  meet¬ 
ing  with  the  IT  depart¬ 
ment  over  technical  im¬ 
plementation  details  to 


giving  IT  the  information 
required  to  talk  at  the 
CEO  level  about  the  real 
business  of  the  company. 

Kevin  Cevasco 

Burke,  Va. 

kevince1@excite.com 


Another  Mighty  Ant 

The  article  “Ant 
Colony  IT”  [Fu¬ 
ture  Watch,  June 
18]  was  quite  interesting, 
though  it  failed  to  cover 
perhaps  the  largest  real 
application  based  upon 
the  concept.  The  Bullet 
Train  Operation  Simula¬ 
tor  has  a  capacity  of 
40,000  agents,  out  of 
which  more  than  30,000, 
including  trains,  signals 
and  train  sensors,  simu¬ 
late  any  what-ifs  in  the 
train  operations.  The 
central  control  computer 
can’t  tell  whether  the 


connected  system  is  the 
real  train  system  or  the 
simulator. 

Seiichi  Yaskawa 
Yaskawa  Electric  Corp. 

Tokyo 

yaskawa@yaskawa.co.jp 


Bad  Title,  Good  Info 

HILE  I  HATED 
the  exhortative 
title  of  Peter 
G.W.  Keen’s  column  “Go 
Mobile  —  Now!”  [Busi¬ 
ness  Opinion,  June  11],  I 
enjoyed  reading  the  an¬ 
swers  to  the  quiz.  Even 
where  I  knew  the  answer, 
I  got  more  information. 
Gobind  Tanaka 
Los  Angeles 


Software  ‘Landlords’ 

IF  you  buy  a  house 
that  causes  you  harm, 
the  costs  are  yours.  If 
you  rent  a  house  that 
causes  you  harm,  the 


costs  are  the  landlord’s. 
I’m  not  a  lawyer,  but  it 
would  seem  to  me  that  if 
software  vendors  are  go¬ 
ing  from  selling  to  rent¬ 
ing  software,  they  could 
realistically  be  sued  for 
damages  caused  by  their 
software  [“Don’t  Be 
Fooled  by  the  Allure  of 
‘Renting’  Software,” 

News  Opinion,  June  25]. 
Paul  Olson 

Director,  computer  operations 
Total  Info  Services 
Tulsa,  Okla. 

More  Letters,  page  30 

COMPUTERWORLD  welcomes 
comments  from  its  readers. 
Letters  will  be  edited  for  brevity 
and  clarity.  They  should  be  ad¬ 
dressed  to  Jamie  Eckle,  letters 
editor,  Computerworld,  P0  Box 
9171, 500  Old  Connecticut  Path, 
Framingham,  Mass.  01701. 

Fax:  (508)  879-4843.  Internet: 
letters@computerwortd.com. 
Include  an  address  and  phone 
number  for  immediate  verification. 
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SPECIALISTS,  WE  KNOW  HOW  TO  TRIM  NEW 


78%  OF  THE  FORTUNE  50  USE  ASPECT 


One  of  our  clients  saved  over  $1,000,000  using 


our  contact  center  solutions — handling  16%  more 
contacts  without  adding  a  single  employee. 


case  studies:  www.aspect.com/go/trimweeks 


1-888412-7728 


The  Contact  Center  Specialists 
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NEWSOPINION 


FRED  WIERSEMA 

How  Market 
Leaders  Reach 
Out  to  Customers 

THERE’S  LITTLE  DOUBT  that  mar¬ 
ket  leadership  and  the  savvy  use 
of  IT  have  been  synonymous  for 
the  past  decade.  The  firms  that  are  dominating 
their  industries  today  —  growing  two  to  three 

times  faster  than  their 
peers  —  were  among  the 
first  to  exploit  IT  to  re¬ 
engineer  their  business 
processes  and  eradicate 
waste  from  operations  in 
the  early  1990s.  In  doing 
so,  they  laid  the  founda¬ 
tion  for  their  current  suc¬ 
cess.  My  latest  research 
also  ranks  them  among 
the  most  astute  deployers 
of  the  Internet.  Moreover, 
these  firms  are  in  the  fore¬ 
front  of  using  IT  to  cope 
with  today’s  biggest  busi¬ 
ness  challenge:  a  scarcity 
of  customers. 

In  today’s  crowded  mar¬ 
kets,  the  problem  isn’t 
building  capacity  or  gen¬ 
erating  new  products  and  information.  The  real 
bottleneck  is  finding  customers  for  our  prodigious 
output.  Of  course,  that  condition  becomes  exacer¬ 
bated  in  a  slow  economy,  with  lots  of  suppliers 
clamoring  to  woo  customers.  Rising  above  the  din, 
the  new  market  leaders  recognize  that  customers 
get  flooded  with  choices  and  information,  yet 
have  less  time  and  patience  to  sort  through  the 
abundance  of  offerings.  These  leaders  come  to  the 
rescue  by  craftily  using  IT  to  get  and  hold  cus¬ 
tomers’  attention,  sometimes  offering  an  added 
value  that  keeps  customers  coming  back. 

Consider  how  market  leader  EMC  helps  cus¬ 
tomers  stay  on  top  of  a  little-mentioned  corollary 
of  Moore’s  Law:  information  storage  require¬ 
ments  double  every  18  months.  Not  only  do 
EMC’s  innovative  storage  products  scale  well,  the 
company’s  true  appeal  is  that  it  allows  customers 
to  sleep  better  at  night.  Each  of  EMC’s  45,000  data 
storage  systems  in  operation  worldwide  is  con¬ 
nected  to  one  of  three  “Call  Home”  centers  in 
Massachusetts,  Ireland  or  Japan.  Whenever  an 
EMC  unit  anywhere  in  the  world  senses  some¬ 
thing  wrong,  it  automatically  reports  the  problem 
to  the  nearest  center,  and  potential  disaster  is 
averted.  Service  to  prevent,  not  repair,  is  indeed 
service  par  excellence.  EMC’s  remote  monitoring 


and  diagnostics  capability  has  created  a  virtual, 
umbilical  link  with  precious  customers. 

Or  consider  UPS.  In  the  past  decade,  the  com¬ 
pany  has  used  IT  to  transform  itself  into  a  high- 
tech,  customer-obsessed  powerhouse  that’s  not 
just  distributing  goods,  but  also  enabling  global 
commerce.  Particularly  striking  is  the  company’s 
ambitious  and  foresighted  move  to  use  wireless 
technology  to  boost  the  value  of  its  services.  The 
delivery  information  acquisition  device  (DIAD), 
is  a  handheld  computer  that  has  helped  turn  UPS 
into  the  world’s  largest  user  of  mobile  communi¬ 
cations  technology.  It  allows  UPS  drivers  and 
handlers  to  follow  each  package  and  feed  large 
amounts  of  tracking  data  into  the  company’s  mas¬ 
sive  data  centers  in  New  Jersey  and  Atlanta.  Now 
in  its  third  generation,  DIAD  has  cut  the  firm’s 
cost  of  tracking  to  less  than  10  cents  per  package. 
But  most  importantly,  UPS  customers  now  use 
this  tracking  information  to  cut  their  inventories, 
manage  their  systems  and  keep  their  receivables 
and  late  payments  under  control.  UPS  is  deftly 
using  IT  to  boost  its  services’  appeal  and  value. 

These  and  many  other  new  market  leaders 
demonstrate  that  the  imaginative  and  bold  use 
of  technology  is  the  foremost  way  to  transform 
customer  scarcity  into  customer  abundance.  I 

MICHAEL  GARTENBERG 

Microsoft  and 
The  IT  World: 
After  the  Verdict 

The  PHILOSOPHER  Friedrich 

Nietchze  said,  “That  which  does 
not  kill  you  makes  you  stronger.” 
With  last  month’s  appeals  court  ruling 
on  the  antitrust  case, 

Microsoft  has  survived  its 
most  critical  challenge  to 
date.  So  what  does  the  fu¬ 
ture  likely  hold,  and  how 
does  this  victory  affect  Mi¬ 
crosoft’s  customers  and 
competitors? 

First,  the  company  must 
resolve  its  legal  issues  with 
the  Department  of  Justice 
(DOJ).  It’s  likely  that  with 
a  new  Republican  adminis¬ 
tration,  Microsoft  can  go 
back  to  the  negotiating 
table  one  more  time  and 
hammer  out  a  new  consent 
decree  and  come  to  terms  with  the  DOJ  and  the 
attorneys  general  for  the  states  involved  in  the 
case.  If  that  happens,  it  will  smooth  the  path  for 
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of  the  new  book  The  New 
Market  Leaders:  Who's 
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the  launch  of  Windows  XP,  Xbox  and  .Net. 

Bolstered  by  the  court  verdict,  Microsoft  will 
continue  to  integrate  new  technologies  into  its 
products.  Both  the  new  messaging  client  and  me¬ 
dia  technologies  will  remain  parts  of  Windows 
XP,  and  the  Hailstorm  Web  services  initiative  will 
expand  at  a  much  greater  pace.  Integration  does 
offer  benefits  to  users  in  terms  of  usability  and 
reliability,  and  the  vendors  that  compete  with  Mi¬ 
crosoft  in  these  areas  will  need  to  carefully  evalu¬ 
ate  how  these  integrated  technologies  will  affect 
their  customers’  buying  patterns. 

It’s  also  likely  that  as  a  result  of  the  verdict, 
the  company  will  no  longer  pitch  the  larger  .Net 
project  as  a  totally  platform-neutral  technology. 
Instead,  the  Web-based  platform  for  software 
services  will  become  more  tightly  coupled  with 
XP  for  the  best  possible  user  experience  (though 
Microsoft  will  continue  to  offer  parts  of  the  .Net 
framework  and  functionality  on  other  platforms). 

For  organizations  that  have  been  dealing  with 
Microsoft  and  awaiting  an  outcome  of  its  legal 
battles  before  deploying  new  technologies,  the 
worst  of  the  battle  is  over.  But  as  Microsoft  shifts 
to  services  and  nonperpetual  license  agreements, 
it’s  time  for  Microsoft  customers  to  decide  how 
they  want  that  relationship  to  change,  which 
technologies  they  will  roll  out  and  when.  Critical 
planning  decisions  regarding  enterprise  projects 
such  as  the  rollout  of  Office  XP  and  Windows  XP 
must  be  tied  into  license  planning  in  order  to 
minimize  both  long-  and  short-term  acquisition 
and  maintenance  costs.  Decision-makers  must 
question  the  short-term  cost  benefit  of  signing  up 
early  vs.  maintaining  older  technologies  longer, 
and  they  must  address  the  issues  of  being  locked 
into  a  platform  that’s  rented  rather  than  pur¬ 
chased. 

It’s  been  a  tough  year  for  Microsoft,  but  even 
with  the  specter  of  a  breakup  looming  large,  the 
company  focused  on  the  next  generation  of  Win¬ 
dows  and  Office,  announced  plans  to  enter  the 
world  of  consumer  electronics,  and  began  the 
long  road  that  will  shift  it  from  shrink-wrapped 
software  to  “software  services.”  The  appellate 
court’s  verdict  was  a  victory  for  Microsoft,  and 
the  harsh  rebuke  of  Judge  Thomas  Penfield  Jack- 
son,  who  issued  the  breakup  order,  was  the  icing 
on  the  cake. 

With  its  legal  issues  largely  behind  it,  Microsoft 
is  now  poised  to  face  the  challenges  of  the  ever- 
changing  technology  landscape.  By  allowing  the 
free  markets  to  decide  the  success  of  technology 
standards,  the  court  has  restored  a  level  playing 
field  by  not  crippling  Microsoft  and  allowing  it  to 
compete  effectively  in  current  and  future  markets 
and  retain  control  over  features  and  technology 
integration.  This  is  something  all  companies  must 
be  allowed  to  do.  Now,  it’s  up  to  user  organiza¬ 
tions  to  embrace  or  reject  products  as  they  see  fit, 
and  the  competition  will  be  in  the  execution  of 
technology  strategies,  not  legal  strategies.  I 


IT’S  THE  SOFTWARE 
YOU’D  DEMAND  IF  YOU  WERE 

YOUR  OWN  CUSTOMER. 


Good  customer  relationships  can  make  or  break  a  business.  That’s  why  the  mvSAP™  Customer  Relationship 
Management  solution  seamlessly  links  customers  with  your  entire  organization,  keeps  information  consistent  across 
all  customer  touch  points,  and  helps  provide  individualized  service.  Plus,  it’s  the  only  CRM  solution  that  integrates  with 
all  other  business  processes,  like  your  supply  chain.  The  result?  Shorter  sales  cycles,  lower  transaction  costs,  higher 
profitability,  and  a  more  productive  (not  to  mention  proactive)  enterprise.  And  with  all  that  efficiency  and  attention 
to  detail,  stronger  customer  relationships  are  unavoidable.  To  learn  more,  call  800  872  1727  or  visit  www.sap.com 
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Out  of  Thin  Air 

When  the  world’s  greatest 
golfers  tee  off  July  1 9  at  the 
British  Open  at  Royal  Lytham 
&  St.  Anne’s  course,  a  unique 
piece  of  technology  will  help 
television  producers  replicate 
for  viewers  a  crucial  but  invisi¬ 
ble  major  factor — the  wind. 

“With  the  Unisys  wind  stick 
and  associated  technology,  the 
television  audience  can  more 
closely  experience  what  the 
golfers  feel,  particularly  at 
Britain’s  breezier  courses,” 
notes  David  Fox,  Director  of 
Sports  Marketing  at  Unisys. 

Unisys,  which  has  provided 
scoring  for  The  Open  for  22 
consecutive  years,  developed 
wind  stick  technology  in  response 
to  a  challenge  from  ABC  Sports, 
which  wanted  to  enhance  stan¬ 
dard  television  graphics  show¬ 
ing  things  like  distance  to  the 
hole  and  driving  distance. 

“The  wind  is  critical  to  the 
player’s  focus,”  notes  Jack 
Graham,  Golf  Producer  at  ABC. 
“With  the  wind  stick,  we  can 
create  graphics  that  show  the 
wind  speed  and  direction  at  the 
moment  the  golfer  swings.  We 
can  show  how  it  changes  dur¬ 
ing  the  ball’s  flight  and  how  it 
affects  the  shot.  It’s  great  stuff.” 

The  wind  stick  is  just  one  way 
Unisys  is  helping  bring  the  excite¬ 
ment  of  tournament  golf  into 
living  rooms  around  the  world. 

Unisys  is  proud  to  provide 
scoring  and  wind  stick  technol¬ 
ogy  at  the  1 30th  British  Open 
Golf  Championship,  July  19-22. 
www.aheadforebusiness.com 


UNISYS; 

We  have  a  head  for  e-business. 
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Paying  the  Price  for  Our  Choices 

OVER  THE  PAST  10  years,  I’ve 
seen  some  amazing  manage¬ 
ment  moves  in  companies  for 
which  I  have  consulted.  Some  IT  man¬ 
agers  couldn’t  get  NetWare  out  of  their 
companies  fast  enough.  Most  of  the 
time,  their  reasoning  wasn’t  definable. 

I  was  left  to  assume  it  was  a  combina¬ 
tion  of  not  understanding  technology 
and  feeling  warm  and  fuzzy.  I’m  con¬ 
vinced  it  rarely,  if  ever,  had  a  business 
case.  Now,  when  I  heard  about  the 
change  in  licensing  for  Microsoft  prod¬ 
ucts  like  Office  [“Microsoft  License 
Shift  Creates  Turmoil,”  News,  May  21], 

I  started  watching  for  some  sort  of 
product  pricing  announcements  from 
Corel.  Surely  this  would  be  a  good  time 
to  garner  some  broader  appeal  by  of¬ 
fering  great  licensing  deals.  I  heard 
nothing.  Then  it  hit  me:  Microsoft  had 
filed  with  the  SEC  to  help  bail  out 
Corel.  Say  goodbye  to  options.  It’s  hard 
to  keep  innovating  when  your  revenue 
sources  dry  up.  Then  there’s  all  that  di¬ 
rection  from  your  new  partner.  Soon 
those  who  don’t  need  “warm  and 
fuzzies,”  like  small  to  medium-size 
companies  and  consumers,  will  have 
no  other  options.  Higher  costs  and 
forced  upgrades  we  don’t  want  or  need 
will  be  the  norm.  Directly  or  indirectly, 
we’ll  all  pay  this  price.  So  next  time 
one  of  you  IT  managers  gets  frustrated 
because  of  rising  costs,  don’t  blame  Mi¬ 
crosoft.  Microsoft  saw  a  problem  years 
ago  and  focused  its  efforts  on  market¬ 
ing  to  the  warm-and-fuzzy  crowd.  It  ef¬ 
fectively  did  its  job.  Did  you? 

Martin  Zinaich 
Lead  systems  analyst 
Tampa,  Fla. 


Dealing  With  Oracle 

Congratulations  to  Computer- 
world  and  IDG  for  standing  up 
to  Oracle’s  hard-line  tactics  in 
pulling  its  advertising  [“The  Power  of 
You,”  News  Opinion,  June  25].  The  Or¬ 
acle  Applications  Users  Group  (OAUG) 
knows  just  what  you’re  going  through. 
Last  year,  the  OAUG  membership 
overwhelmingly  rejected  Oracle’s  pro¬ 
posal  that  the  OAUG  fold  its  North 
American  conferences  into  Oracle’s 
Apps World  event.  ( Computerworld  ran 
a  terrific  cartoon  about  the  situation  in 
the  June  11  issue,  illustrating  OAUG 
selling  hot  dogs  outside  Oracle’s 
event.)  Rather,  the  membership  indi¬ 
cated  that  the  OAUG  should  maintain 
its  independence;  continue  producing 
its  own  independent,  user-focused 
conferences;  work  collaboratively  with 


Oracle;  and  actively  involve  Oracle  in 
OAUG  events.  The  OAUG  then  asked 
Oracle  to  provide  60  or  so  develop¬ 
ment  staff  to  deliver  roughly  55  “Ora¬ 
cle  Directions”  and  Q&A  sessions  at 
the  OAUG’s  fall  conference.  Oracle  has 
refused  to  provide  even  this  minimal 
level  of  support.  The  OAUG  is  now 
surveying  its  membership  to  deter¬ 
mine  how  the  user  group  should  move 
forward.  It  will  hold  its  fall  conference 
in  San  Diego  for  four  days,  with  or 
without  Oracle’s  participation  —  but 
we  find  it  difficult  to  believe  that  Ora¬ 
cle  will  refuse  the  opportunity  to  listen 
to  more  than  4,000  of  its  customers. 
One  wonders  how  long  a  vendor  can 
stay  in  business  when  it  so  blatantly  ig¬ 
nores  the  voices  of  its  users. 

Laura  Bray 

Communications  manager 
Oracle  Applications  Users  Group 
Atlanta 

The  purpose  of  advertising  is  to 
promote  a  company,  product  or 
viewpoint  for  the  benefit  of  the 
advertiser.  The  selection  of  a  particu¬ 
lar  publication  should  be  to  reach  a 
certain  demographic  —  that  publica¬ 
tion’s  readership  —  not  to  reward  the 
publication.  Computerworld  is  to  be 
applauded  for  its  editorial  indepen¬ 
dence.  Oracle  should  evaluate  its  ad¬ 
vertising  objectives  and  strategy.  I 
hope  that  this  was  the  subject  of  the 
meetings  between  IDG  publishers  and 
Oracle  representatives. 

R.K.  Davis 
President 
Davis  &  Co. 

Boca  Raton,  Fla. 


How  Palm  Can  Learn  From  History 

To  me,  IT  history  suggests  that 
Palm  should  run  in  binary  mode, 
with  two  independent  divisions 
[“Past  May  Dictate  Palm’s  Next  Move,” 
News  Opinion,  June  25].  One  would 
push  software,  and  the  other  hardware, 
just  like  Sun,  HP  and  IBM.  Microsoft  is 
moving  slowly  into  hardware  through 
keyboards,  mice  and  gaming  terminals 
and  Compaq  into  software  through 
clustering.  But  Palm  should  avoid  the 
IBM  mistake  of  the  early  1980s  that  led 
to  the  creation  of  Microsoft  and  Com¬ 
paq.  It  should  get  together  with  all  the 
major  PDA  hardware  manufacturers, 
create  a  standard  architecture  for  these 
devices  and  use  its  lead  in  this  area  to 
develop  along  those  standards.  This 
will  commoditize  the  hardware  for 
PDAs  and  wireless  devices,  but  the 
economies  of  scale  that  result  will  dri¬ 
ve  wireless/PDA  component  prices 


down  and  will  create  a  huge  worldwide 
market.  Today’s  PC  makers  are  proof 
that  standardization  works.  Palm  Soft¬ 
ware,  like  Microsoft  before  it,  would 
then  ride  the  hardware  success  by  writ¬ 
ing  the  best  Palm  OS  for  the  standards, 
selling  it  very  cheaply  to  gain  market 
share  and  making  money  on  the  up¬ 
grades  and  potential  applications  run¬ 
ning  on  top  of  the  operating  system. 
This  way,  the  “integrator’s  dilemma” 
becomes  a  synergy  opportunity. 
Athmane  Nouiouat 
E-business  solutions  architect 
SAP  America  Public  Services 
Foster  City,  Calif. 


LawmakA  Misconstrues  Antitrust 

Richard  armey’s  comment  that 
“our  antitrust  laws  should  not 
be  used  to  hold  our  most  suc¬ 
cessful  companies  back  to  give  the 
competition  a  chance  to  catch  up”  is 
absurd  [“Appeals  Court  Reverses  Mi¬ 
crosoft  Breakup  Order,”  Computer- 
world.com,  June  28].  The  precise  pur¬ 
pose  of  antitrust  laws  is  to  guarantee  a 
level  playing  field  for  all.  Companies 
that  violate  that  principle  pay  a  price. 
Larry  Teitelbaum 
Manhattan  Beach,  Calif. 


Digital  Copyright  Law  Isn’t  Cynical 

Alex  torralbas  does  a  pretty 
good  job  of  hitting  on  the  reali¬ 
ty  of  the  Digital  Millennium 
Copyright  Act  [“Bad  Legislation  Opens 
Web  to  Corporate  Lawyers,”  News 
Opinion,  June  18],  but  he  omits  the  the¬ 
ory  behind  the  act.  He’s  on  target  that 
the  RIAA  will  say  and  do  anything  to 
keep  its  coffers  stuffed.  The  theory  be¬ 
hind  the  DMCA,  though,  was  to  ensure 
that  the  owners  of  the  underlying 
copyrighted  works  receive  fair  com¬ 
pensation  for  their  livelihood. 

Steven  Rubenstein 
Antioch,  Tenn. 


Vexed  by  Mind  Games 

Using  sophomoric  miming 
tricks  only  perpetuates  the 
problem  of  getting  professional 
salespeople  to  visit  your  site  [“Mes¬ 
sage  to  Vendors:  Drop  the  Mind 
Games,”  Security  Manager’s  Journal, 
June  25].  Certainly  there  are  salespeo¬ 
ple  who  try  “sales-school  tricks”  in  an 
attempt  to  get  an  appointment  or  a 
sale,  but  to  publish  an  article  that  en¬ 
ables  this  to  continue  is  irresponsible. 
Harold  Palmer 
Consultant 
Bloomington,  Minn. 
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50  ordinary  NT  servers  or  1  ES7000? 
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The  Unisys  e-@action  Enterprise  Server  ES7000 
makes  consolidation  a  no-brainer.  Affordability 
you’d  expect  from  NT.  Scalability  with  Microsoft® 
Windows®  2000,  you’d  expect  from  UNIX.  Powered 
by  our  CMP  architecture,  the  ES7000  harnesses 
32  Intel®  Pentium®  III  Xeon®  Processors.  Partitioning 
lets  it  run  large  or  small  partitions.  The  reliability 
your  data  center  needs.  Ready  for  future  processors, 

Vi 

I  even  the  Intel®  Itanium®  Processor.  So  consolidate 
your  thinking  to  one  server.  Ours.  Visit  us  at 

www.aheadforebusiness.com. 

We  have  a  head  for  e-business. 


Trend  Micro 


ScanMail®  for  Microsoft®  Exchange  2000 


We're  Trend  Micro.  We  don't  do  pictures.  We  do 
virus  protection  for  your  enterprise  network. 

Like  our  ScanMail  for  Microsoft  Exchange  2000. 
ScanMail  technology  works  so  well  it  won  PC 
Magazine's  Editors' Choice  Award  for 
June  2001 .  It  integrates  flawlessly 
with  Microsoft  Exchange  2000 
Anti-Virus  Scan  API,  so  you  get  the 
right  support  when  you  need  it. 

Okay,  so  maybe  the  guy  in  the  picture  is  an 
Exchange  administrator  who  installed 
ScanMail.  He's  resting  easy,  knowing  he  made 
the  right  choice. 


Micreooo 

IfpCva 


Put  ScanMail  for  Microsoft 
Exchange  2000  in  your 
picture.  Call  us  at  1-800-238-9983  for  full 
details  on  ScanMail  and  all  Trend  Micro  antivirus 
solutions.  Or  visit  our  Web  site  at 
www.trendmicro.com/smex2000 


Be  sure  and  visit  us  at  Networld  +  Interop  200 1, 
Georgia  World  Congress  Center,  Atlanta,  Georgia, 
September  1 1-1 3th,  Booth  #7361 

Nasdaq:TMIC 


trend. 

MICRO 


your  Internet  Virus  Wall® 


©2001  Irend  Micro  Inc  All  company  and/or  product  names  are  Itie  properly  of  their  respective  trademark  owners- 


As  e-commerce  becomes  more  important,  so 
does  security  —  to  control  the  risk  and  profits. 


EDITOR’S  NOTE 

Finding 

Answers 


UCH  AS  I  LOVE  the 
Web,  it  has  its  weak- 
nesses.  It’s  hard  to  take 
on  airplanes,  for  exam¬ 
ple,  and  reading  any¬ 
thing  really  long  can  make  your 
eyes  cross. 

Print,  on  the  other  hand,  is  portable  and  easy  on 
the  eyes  but  isn’t  so  great  if  you  need  to  dig  for 
more  detail  or  find  answers  to  specific  questions  a 
story  raises  in  your  mind. 

That’s  why  we’re  combining  the  two,  in  this  first 
edition  of  our  monthly  In  Depth  special  report. 

Each  In  Depth  will  focus  on  a  specialty  area  readers 
have  identified  as  important  to  them. 

In  print,  you’ll  find  stories  probing  various  as¬ 
pects  of  the  topic,  all  tied  to  exclusive  online  stories 
that  go  into  even  greater  depth,  sidebars  on  related 
topics,  research,  and  community  activities  designed 
to  enhance  the  value  of  the  information  you  get 
from  Computer-world  in  print  and  online. 

All  of  that,  plus  other  related  Computerworld  con¬ 
tent,  will  live  at  our  enhanced  In  Depth  sites  at 
Computerworld.com,  continually  updated  with 
news,  opinions  and  new  research  links  to  help  you 
keep  up  to  date  and  focus  your  research  on  topics  of 
interest  to  you. 

So  you  get  the  portability  of  print,  the  resources 
of  the  Web  and  input  from  your  peers  in  Computer- 
world  communities,  served  up  in  ways  designed  to 
be  convenient.  Let  us  know  how  it  works  for  you.  I 


Kevin  Fogarty  is  Computerworld’s/eafures  editor. 

Contact  him  at  kevin_Jogarty@computerworld. 


com. 


MORE  IN  DEPTH  STORIES 
■  Congress  is  changing  the  risk/reward  equation 
with  new  security  regulations.  So  is  Europe,  where 
they're  really  cracking  down  on  online  behavior 
that’s  tolerated  here. 

■  Is  XML  just  a  big  risk  or  a  major  advantage  for 
keeping  transactions  safe? 


■  Plus,  information  on  tools  you  can  use  to  set  up  traps  for 
intruders,  PKI  nets  for  customers  and  where  to  find  answers  to  almost 
any  question  you  have  on  how  to  stay  secure  and  make  money  doing  it. 
www.computerworid.com/secuiityonline 


COMPUTERWORLD  ONUNE  COMMUNITIES 

Get  advice  from  your  peers,  offer  your  own  tips  or  post  your  opinion  at: 

www.computerworld.com/security 
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Though  many  firms  are 
focused  on  preventing 
external  breaches  in  com¬ 
puter  security,  the  greatest 
threats  often  lurk  within  a 
company’s  workforce. 

By  Dan  Verton 

IT’S  January  2000,  and  the  world  hasn’t  imploded  under 
the  weight  of  the  Y2k  problem.  Planes  aren’t  falling  out 
of  the  sky,  and  trains  aren’t  careening  off  their  tracks. 

But  in  a  few  short  months,  Craig  Goldberg’s  start-up  will 
come  face  to  face  with  a  more  sinister  threat  that  will 
take  it  to  the  brink  of  disaster:  cybercrime. 

The  CEO  of  Internet  Trading  Technologies  Inc.  (ITTI),  a 
New  York-based  technology  subsidiary  of  stock  trade  regulator 
LaBranche  &  Co.,  had  just  completed  a  second  round  of  fund¬ 
ing  that  helped  fuel  an  expansion  of  the  company’s  IT  staff. 
Within  two  months,  Goldberg  hired  a  half-dozen  more  soft¬ 
ware  developers  and  tapped  a  CIO  with  15  years  of  experience 
to  take  on  the  role  of  chief  operating  officer. 

Trouble  lurked  beneath  the  surface,  how¬ 
ever.  Two  of  the  company’s  software  devel¬ 
opers  approached  ITTI’s  new  COO  and  de¬ 
manded  that  the  company  “pay  them  a  lot  of 
money  or  they  will  resign  immediately  and  not  provide  any 
assistance  to  the  development  team,”  according  to  Goldberg, 
who  eventually  succumbed  to  the  demands. 

But  that  wasn’t  enough  for  the  two  developers,  who  left 
the  premises,  demanded  more  money  and  stock  options  and 
threatened  to  let  the  development  work  founder.  “It  felt  like 
we  were  being  held  up,”  says  Goldberg.  Faced  with  the  equiv¬ 
alent  of  a  cyberhijacking,  he  refused  to  budge,  and  the  devel¬ 
opers  were  dismissed. 

The  first  denial-of-service  attack  hit  the  next  morning,  a 
Thursday,  and  crashed  the  company’s  application  server. 
Somebody  sitting  at  a  computer  in  a  downtown  Manhattan 
Kinko’s  had  gained  access  to  ITTI’s  server  using  an  internal 
development  password.  The  server  was  brought  back  online, 
only  to  be  hit  again  two  minutes  later,  says  Goldberg.  Pass¬ 
words  were  changed,  and  development  systems  were  air- 
gapped  —  physically  disconnected  —  from  the  Internet.  But 
the  attacks  continued  through  the  weekend. 

The  situation  soon  became  critical.  “If  the  attacks  contin- 
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ued  to  go  on,  we  would  go  out  of  business,”  Goldberg 
says.  He  called  in  a  security  consulting  firm  and  the 
Secret  Service. 

The  last  attack,  which  occurred  Monday  morning, 
hit  as  federal  authorities  were  installing  monitoring 
equipment  on  ITTI’s  networks.  Authorities  traced 
the  attacker  to  a  computer  at  Queens  College  in 
Flushing,  N.Y.,  where  one  of  the  former  employees 
was  a  student.  Witnesses  placed  the  individual  at  the 
specific  computer  at  the  precise  time  of  the  attack. 
Within  an  hour,  the  Secret  Service  officials  had  their 
man.  No  evidence  or  charges  were  brought  against 
the  other  former  employee. 


Stress  Points 

Experts  agree  that  cybercrimes,  such  as  the  one 
perpetrated  against  ITTI,  are  often  the  result  of  a 
combination  of  factors  that  are  unique  to  the  modern 
IT  workplace.  Although  most  managers  believe,  as 
Goldberg  says,  that  “security  is  both  about  risk  man¬ 
agement  and  hiring  honest  people,”  experts  in  crimi¬ 
nal  psychology  say  the  onus  is  often  on  managers  to 
take  action  to  prevent  current  and  former  employees 
from  lashing  out  in  the  form  of  cybercrime. 

Jerrold  Post,  a  professor  of  psychiatry  at  The 
George  Washington  University  in  Washington,  devel¬ 
oped  the  “Camp  David  profiles,”  which  focus  on  un¬ 
derstanding  the  psychology  of  terrorism  and  political 
violence.  They  were  developed  for  then-President  Jim¬ 
my  Carter.  Post  says  cybercrime  can  be  seen  as  a  sub¬ 
set  of  workplace  violence,  where  employees  become 
frustrated  but  have  no  way  to  mitigate  the  stress. 

“In  almost  every  case,  the  act  which  occurs  in  the 
information  system  era  is  the  reflection  of  unmet 
personal  needs  that  are  channeled  into  the  area  of 


MORE  IN  DEPTH  STORIES 

Access  additional  content,  published  exclusively  online,  at: 

www.computemorld.com/securityonline 

IN  DEPTH  RESEARCH  ON  CYBERCRIME 
■  From  the  U.S.  Department  of  Justice,  on 
Computer  Crime:  Identity  Theft:  The  Crime  of 
the  New  Millennium,  Sean  B.  Hoar  (March  2001) 

■  Federal  Criminal  Code  Related  to  Computer 
Crime:  18  U.S.C.  §  1029.  Fraud  and  Related  Activity  in 
Connection  with  Access  Devices 
■  Critical  Infrastructure  Protection  Resources:  Privacy  Laws 
and  the  Employer-Employee  Relationship,  A  Legal  Foundations  Study. 


■  Plus  other  links  at: 

www.computerworld.com/securitylinks 


COMPUTERWORLD  ONLINE  COMMUNITIES 

Get  advice  from  your  peers,  offer  your  own  tips  or  post  your  opinion  at: 

www.computerworld.com/security 


expertise,”  says  Post.  “Almost  all  of  these  people  are 
loyal  at  the  time  of  hiring,  so  this  isn’t  a  matter  of 
screening  them  out.” 

Post  acknowledges  that  only  a  small  percentage  of 
IT  workers  who  share  a  common  set  of  personality 
traits  actually  commit  crimes.  However,  for  those 
who  do  become  cyberoffenders,  their  actions  are 
often  the  result  of  not  having  skilled  managers  who 
can  alleviate  workplace  stressors,  he  says. 

Post  suggests  several  approaches  that  managers 
can  take  to  both  identify  and  alleviate  those  stressors 
for  employees,  including  providing  more  distinct 
career  paths.  He  also  says  managers  need  to  acquire 
better  leadership  skills  to  help  people  feel  like  they 
really  matter  to  an  organization. 

Bill  Tafoya  has  spent  the  better  part  of  the  past 
25  years  profiling  criminals.  A  former  special  agent 
at  the  FBI  and  now  a  professor  of  criminal  justice  at 
Governors  State  University  in  University  Park,  Ill., 
Tafoya  says  many  IT  workers  today  sometimes  feel 
browbeaten  by  their  employers. 

“Most  of  the  time,  however,  they  merely  become 
cynics  who  infect  co-workers  with  their  misanthropic 
view  and  undertake  career-long,  one-person  work 
slowdowns,”  he  says. 

Managers  often  mishandle  difficult  situations,  he 
says.  “In  some  organizations,  when  personnel  falter 
and  are  subsequently  disciplined,  the  records  depart¬ 
ment  is  a  favorite  reassignment  [that]  management 
uses  for  purposes  of  punishing  the  miscreant,”  Tafoya 
says.  “I  ask  you,  who  is  being  punished?”  Career  paths 
need  to  be  developed  for  IT  personnel  who  handle  a 
company’s  crown  jewels  —  its  information,  he  adds. 

Obviously,  not  all  cybercrimes  occur  as  a  result  of 
frustrated  employees.  Many  computer  security 
breaches  are  the  acts  of  dishonest  people  who  crack 
into  systems  from  the  outside  using  the  Internet. 

Sometimes,  they  get  a  little  indirect  help  from  un¬ 
suspecting  employees. 

In  February,  a  major  bank  in  the  Northeast  whose 
name  is  being  withheld  for  security  purposes  discov¬ 
ered  that  unauthorized  purchases  were  being  made 
on  the  Internet  using  its  customers’  information.  The 
bank  called  the  Emergency  Response  Team  (ERT) 
at  Internet  Security  Systems  Inc.  (ISS),  an  Atlanta- 
based  security  firm.  After  131  hours  of  forensics  pro¬ 
cessing,  both  ISS  and  bank  officials  suspected  that  a 
mole  in  the  company  was  helping  the  attacker. 

“The  client  was  convinced  there  was  a  collabora¬ 
tor  and  was  ready  to  terminate  a  number  of  individu¬ 
als,  as  well  as  contractors,”  said  Allan  Fideli,  director 
of  the  ERT  and  the  former  chief  of  worldwide  securi- 


What  the 
Experts  Say 

^  Most  experts  recommend  that  companies  offer 
regular  training  programs  on  network  security  proce¬ 
dures,  information  handling  techniques,  how  to  deal  with 
social  engineering  techniques  used  by  outsiders,  the 
importance  of  physical  security  standards  and  Web/ 
computer  asset  usage  guidelines. 

O  Managers  should  receive  training  in  how  to  han¬ 
dle  disgruntled  employees  and  make  sure  clear  career 
paths  for  IT  personnel  are  established.  Close  attention 
should  be  paid  to  layoffs  and  compensation  packages. 

Clear  security  guidelines  should  be  published 

and,  if  necessary,  employees  should  be  asked  to  sign 
nondisclosure  and  computer  usage  agreements.  Internal 
information  should  be  classified  and  shared  according  to 
its  sensitivity  and  employee  need-to-know  parameters. 

O  Companies  should  also  encrypt  sensitive  commu¬ 
nications,  use  network  monitoring  tools,  enforce  security 
practices  and  separate  IT  development  network  environ¬ 
ment  from  sales  and  support  divisions. 


ty  at  IBM.  However,  Fideli  and  another  analyst  even¬ 
tually  narrowed  down  the  perpetrator  to  a  contractor 
in  Europe  who  had  stolen  passwords  from  his  mother- 
in-law,  who  was  an  employee  of  the  bank. 

Scott  Christie,  an  assistant  attorney  at  the  U.S. 
Attorney’s  Office  for  the  District  of  New  Jersey  in 
Newark,  says  a  lack  of  oversight  is  a  key  enabler  in 
many  cybercrime  cases. 

“Without  any  oversight,  [criminals]  can  do  what 
they  want  without  fear  of  being  caught,”  says  Christie. 

Richard  Hunter,  an  analyst  at  Stamford,  Conn.- 
based  Gartner  Inc.,  says  management  inattention  can 
be  a  contributing  factor.  “Some  managers  are  inatten¬ 
tive  to  the  point  that  they  do  not  even  check  resumes 
for  people  being  hired  into  positions  where  sensitive 
data  is  available,”  says  Hunter. 

Although  Post  acknowledges  that  the  majority  of 
hackers  are  little  more  than  garden-variety  criminals, 
the  world  of  cybercrime  does  have  its  share  of  Lee 
Harvey  Oswalds,  he  says.  The  most  recent  example 
is  Abraham  Abdallah,  a  32-year-old  Brooklyn  busboy 
who  in  March  managed  to  pull  off  the  biggest  Inter¬ 
net  identity  heist  in  history  by  stealing  the  online 
identities  of  200  of  the  richest  people  in  America. 

There  is  little  difference  in  motivation  between 
criminals  like  Abdallah  and  Oswald,  says  Post.  “To 
steal  somebody’s  identity  is  to  escape  from  one’s 
place  of  insignificance.  It’s  a  special  species  of  assas¬ 
sination,”  he  says. 

For  Tafoya,  the  assassination  metaphor  goes  too 
far.  “Those  who  have  been  so  victimized  see  the  theft 
of  their  identity  as  more  akin  to  rape,”  he  says. 

According  to  ITTI’s  Goldberg,  however,  cyber¬ 
crime  is  about  greed.  “We  talked  and  negotiated  in 
good  faith,  but  at  a  certain  point  in  time,  it  becomes 
extortion,”  he  says.  ► 
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Many  see  XML  as  a  miraculous  way  to  integrate 
the  Web  and  back-end  data.  But  few  realize  how 
powerful  a  force  they’re  letting  through  the  fire¬ 
wall  and  how  big  the  risk  is  from  hackers  who 
can  write  hostile  code  disguised  as  HTML. 

By  Deborah  Radcliff 


Just  when  YOU  thought  the  uncontrolled 
forces  of  the  Web  were  finally  getting  man¬ 
ageable,  along  comes  multidimensional 
data.  We’re  talking  XML,  which  unlocks 
data  from  many  sources  for  many  destina¬ 
tions  as  no  markup  language  has 
done  before. 

But  this  new  way  of  handling  data  also 
opens  up  new  security  vulnerabilities.  Al¬ 
ready,  IT  managers  are  bracing  for  a  new  on¬ 
slaught  of  malicious  code,  data  hijacking,  viruses, 
graffiti,  defacements  and  buffer  overflows. 

XML  is  spreading  to  back-office  systems,  business 
exchanges  and  wireless  applications.  In  the  next  two 
years,  XML  will  be  used  on  more  than  50%  of  Web 
sites,  according  to  some  researchers. 

Even  two  years  ago,  companies  like  Marriott  Inter¬ 
national  Inc.  had  begun  making  their  back-office  ap¬ 
plications  more  extensible  through  XML.  And  pro¬ 
gressive  businesses  like  ETrade  Group  Inc.  and  Alas¬ 
ka  Airlines  are  now  announcing  wireless  trading  and 
reservations  through  XML-based  systems  built  by 
companies  like  Everypath  Inc.,  a  mobile  application 
framework  vendor  in  San  Jose. 

Unlike  HTML,  XML  can  link  an  unlimited  combi¬ 
nation  of  data  types  by  tagging  them  with  a  standard, 
machine-readable  language  to  define  each  piece  of 
data  and  determine  what  it  does. 

For  example,  XML  can  be  used  to  dynamically  link 
inventory  data  stored  in  an  arcane  format  in  a  back¬ 
end  database  with  specific  spreadsheet  columns  that 
allow  customers  and  partners  to  slice  and  dice  num¬ 
bers  in  real  time. 

Developers  can  use  XML  to  create  interactive  Web 
sites  by  dynamically  linking  the  data  stored  in  their 
systems  or  from  anywhere  in  the  public  domain. 

XML  is  the  basis  for  an  emerging  consumer  priva¬ 
cy  framework  called  Platform  for  Privacy  Prefer¬ 
ences,  introduced  by  Microsoft  Corp.  and  several 


small  vendors  this  year.  And  XML  shows  promise  of 
finally  making  public-key  infrastructures  and  digital 
signatures  interoperable. 

But  XML  has  a  dark  side.  The  powerful  capabilities 
of  these  data  sets  and  dynamic  links  open  up  a  whole 
new  can  of  security  worms  because  the  code 
defined  by  XML  tags  can  carry  virtually  any 
payload  through  the  firewall  unchecked. 

Simply  put,  firewalls  and  filters  trust  that 
the  XML  tags  are  honest  descriptors  of  the 
code  they  define,  so  malicious  XML  code  could  get  a 
free  ride  into  almost  any  organization. 

Too  Much  Trust? 

The  World  Wide  Web  Consortium  (W3C),  whose 
members  are  mostly  technology  and  telecommunica¬ 
tions  vendors,  denies  any  suggestion  that  XML  opens 
up  new  security  problems.  “XML  is  just  a  markup  . . . 
used  to  convey  information  and  build  applications,” 
says  Joseph  Reagle,  a  policy  analyst  at  the  W3C, 

But  as  with  other  languages  that  support  exe¬ 
cutable  code,  the  problem  is  what  developers  do  with 
XML.  “How  you  convey  information  and  build  appli¬ 
cations  will,  of  course,  have  security  concerns,”  says 
Reagle. 

It’s  this  model  of  trusting  developers  to  do  the 
right  thing  with  XML  that  worries  IT  professionals. 

“Trust  is  the  darned  key  to  all  of  this,”  says  Perry 
Luzwick,  director  of  information  assurance  architec¬ 
ture  at  Herndon,  Va.-based  Logicon  Inc.,  an  IT  com¬ 
pany  owned  by  Los  Angeles-based  Northrup  Grum¬ 
man  Corp.  “There’s  no  control  of  the  input  in  an 
open  XML  environment  unless  you  could  somehow 
check  wrappers  [tags],  but  that’s  cumbersome. . . . 
There’s  no  way  to  say  that  metadata  in  the  tags  rep¬ 
resents  what  it  says  it  does.” 

It’s  too  early  to  tell  how  widespread  XML-enabled 
exploits  will  be  in  the  next  few  years.  So  far,  exploits 
are  rare  because  there’s  no  XML  on  the  client  end 


yet,  says  Ryan  Russell,  incident  analyst  at  security  in¬ 
telligence  firm  SecurityFocus  Inc.  in  San  Mateo, 

Calif.  But  Internet  Explorer  has  a  heavy  XML  feature 
set  in  V6.0,  to  be  released  later  this  year. 

Payet  Guillermo,  chief  technology  officer  at  Ocean 
Group,  an  Internet  engineering  firm  in  Santa  Cruz, 
Calif.,  says  the  first  wave  of  XML  attacks  will  resem¬ 
ble  malicious  code  attacks  conducted  in  HTML, 
more  than  40  of  which  are  listed  on  the  advisory 
pages  of  the  Pittsburgh-based  CERT  Coordination 
Center.  “Just  as  there  are  a  bunch  of  browser  exploits 
that  use  malformed  HTML  and  Java  to  crash  your 
browser  or  take  control  of  your  machine,  we’ll  proba¬ 
bly  see  the  same  types  of  attacks  aimed  at  XML 
parsers  . . .  and  the  applications  using  the  parsed 
data,”  says  Guillermo. 

Text-based  attacks  will  also  re-emerge,  predicts 
Dan  Moniz,  a  research  scientist  at  peer-to-peer  appli¬ 
cation  developer  OpenCola  Ltd.  in  Toronto. 

A  text-based  attack  is  accomplished  by  inserting 
complicated  data  streams  —  symbols,  numbers  and 
characters  —  anywhere  in  applications,  including 
buffers,  or  Web  addresses.  Until  XML,  text-based  at¬ 
tacks  were  successfully  filtered.  But  the  XML  frame¬ 
work  introduces  a  more  complex  character  set  rou¬ 
tine,  Unicode,  to  facilitate  more  complex  data  typing. 
Unicode  uses  16-bit  character  sets  instead  of  ASCII’s 
eight  bits. 

In  May,  the  first  Unicode  text-string  exploit 
(against  Microsoft’s  Internet  Information  Servers) 
was  posted  on  CERT’s  advisory  pages  (Vulnerability 
Note  VU#111677). 

“In  Unicode,  there  are  an  infinite  number  of  ways 
to  say  something.  So  programs  that  block  bad  code 
can’t  work  with  Unicode,  because  they  can’t  think  of 
all  the  ways  the  bad  code  could  be  written,”  says 

When  do  you  plan  to  use  XML 
to  publish  your  Web  site? 

PERCENTAGE  OF  PROGRAMMERS  USING  XML 
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The  Problem  With  Power 

According  to  Peter  Lindstrom,  an  analyst  at  Hurwitz  Group,  the  power  of  XML  comes  from  its  flexibility  and 
extensibility  paired  with  its  semantics  and  structure.  But  these  same  elements,  he  contends,  also  cook  up  new 
security  issues.  In  a  white  paper  entitled  “Introduction  to  XML  Security”  (June  2001),  Lindstrom  cites 
four  recipes  for  XML  disaster.  Here  are  those  risks  and  ways  to  defend  against  hostile  XML  executables: 


□ANGERS 


DATA  SHARING  The  “cookbook"  approach  to  data 
sharing  -  one  that  involves  many  ways  to  share  data  - 
makes  it  difficult  to  validate  the  source  of  every  piece  of 
information  and  the  accuracy  of  the  information  itself. 

DATA  LINKING  Presenting  data  in  the  form  of  links  via 
Web  addresses  overextends  security  mechanisms. 

©TRANSPORT  Firewalls  won’t  stop  XML,  regardless  of 
the  application  that’s  using  it. 

O  STRUCTURE  Even  though  XML  instances  can  look  ex¬ 
actly  aiike,  they  can  be  different  under  the  covers.  Place¬ 
ment  of  tags,  use  of  white  spaces  and  other  style 
tweaks  can  introduce  new  ambiguities  to  the  data  sets. 


DEFENSES 


O  Don’t  trust  inbound  data. 

■  Check  data  sizes  on  input. 

■  Test  untrusted  XML-wrapped  executables  in  a 
“sandbox”  -  a  separate  area  of  the  network  -  to 
make  sure  the  code  isn’t  malicious. 

Set  up  a  local  store  of  Document  Type  Declara¬ 
tions  (DTD)  either  at  or  near  the  firewall  and 
keep  it  updated  like  you  would  virus  signatures. 

DTDs  are  XML  syntax-based  data  describers  that  will 
likely  be  linked  to  you  from  other  sources.  If  these  DTDs 
were  altered  outside  your  network,  a  local  DTD  store 
would  notice  a  conflict  and  stop  the  process,  says  Dan 
Moniz,  a  research  scientist  at  OpenCola  Ltd.  in  Toronto. 


Bruce  Schneier.  In  July  of  last  year,  Schneier,  founder 
and  chief  technology  officer  of  Counterpane  Internet 
Security  Inc.  in  Cupertino,  Calif.,  published  a  white 
paper  predicting  an  onslaught  of  text-based  attacks 
exploiting  the  Unicode  character  sets.  “Unicode  is 
just  too  complex  to  ever  be  secure,”  he  adds. 

Indeed,  protecting  against  any  new  XML-based  at¬ 
tacks  won’t  be  easy  because  there  are  no  checks  to 
verify  such  complex  data  streams  being  pushed  or 
pulled  into  business  networks. 

Don’t  count  on  filtering  to  help.  Firewalls  won’t 
check  XML-embedded  data.  And  XML-encoded  at¬ 
tack  signatures  won’t  show  up  in  audit  logs,  says 
Dark  Tangent,  a  white-hat  hacker  and  organizer  of 
the  annual  Def  Con  security  conference  for  hackers 
in  Las  Vegas. 

Safety  in  Standards 

About  the  only  thing  IT  professionals  can  do 
at  this  early  stage  is  minimize  their  own  devel¬ 
opment  risks.  The  best  bet  is  to  carefully  follow 
XML  development  standards  and  protocols  com¬ 
ing  from  the  Internet  Engineering  Task  Force 
( www.IETF.org ),  the  W3C  ( www.W3.org ),  vertical  in¬ 
dustry  groups  and  vendor-developed  frameworks 


like  Everypath’s,  advises  Peter  Lindstrom,  a  security 
analyst  at  Hurwitz  Group  Inc.  in  Framingham,  Mass. 

And  remember,  you’re  not  the  only  one  trying  to 
make  sense  of  the  XML  paradigm.  Even  those  in  the 
know,  like  John  Goeller,  director  of  electronic  trading 
at  Credit  Suisse  First  Boston  in  New  York  and  chair¬ 
man  of  a  financial  services  XML  working  group,  are 
struggling  with  more  than  a  dozen  XML  protocols  to 
come  up  with  a  universal  standard  suitable  for  finan¬ 
cial  trading  applications. 

Growing  pains  like  these  are  common  with  all 
emerging  technologies,  says  Dark  Tangent.  There’s 
no  way  to  know  how  the  exploits  will  hit  or  when  be¬ 
cause  programs  support  XML  differently  than  they 
do  HTML,  he  says.  “It  will  take  time  for 
XML  developers  to  get  XML  integrated 
correctly,”  he  says.  I 

MORE  IN  DEPTH  STORIES 
•  XML  is  more  than  just  a  threat.  It  can  also  be  a  way 
to  make  secure  e-commerce  work  using  digital 
certificates. 

Check  out  more  on  XML,  its  uses,  defenses  against  it, 
and  how  to  use  it  to  your  own  advantage. 

www.computerworld.com/securityonline 


SOAP,  Other 
Protocols  Specify 
Security  for  XML 

Microsoft’s  Simple  Object  Access  Protocol 

(SOAP)  has  garnered  a  lot  of  attention,  especially 
since  it  was  submitted  to  the  W3C  as  a  possible 
standard  for  XML-based  communication  among 
object-oriented  applications. 

But  privacy  and  data  integrity  protection  specifi¬ 
cations,  missing  in  earlier  versions  of  SOAP,  also 
get  a  lot  of  attention. 

SOAP  authors,  including  Microsoft  and  IBM, 
addressed  that  lack  of  information  in  February, 
submitting  a  new  set  of  SOAP  security  specifica¬ 
tions  to  the  W3C. 

Based  on  XML,  SOAP  is  used  in  middleware  for 
communication  among  information  systems  built 
on  different  technologies. 

Version  1.1  of  the  specification,  announced  in 
April  of  last  year,  let  SOAP  messages,  which  are 
based  on  HTML,  sail  freely  through  most  firewalls. 
That  gave  legitimate  business  partners  free  entry 
to  remotely  activate  code 
and  exchange  information. 

But  it  also  extended  the 
same  welcome  mat  to 
hackers,  said  James  Ko- 
bielus,  an  analyst  at  Mid¬ 
vale,  Utah-based  The  Bur¬ 
ton  Group  Inc. 

The  February  extension 
to  SOAP  proposes  a  way 
to  use  the  XML  digital  sig¬ 
nature  syntax  to  sign  and 
authenticate  SOAP  1.1 
messages. 

It  also  proposes  definition  of  an  extensible 
name  space  for  adding  to  the  SOAP  header  further 
security  features,  such  as  biometric  signatures  and 
XML  encryption,  as  standards  become  available. 

The  W3C  has  appointed  a  working  group  to  de¬ 
velop  an  open  standard  protocol  similar  to  SOAP 
called  XML-Protocol. 

Although  the  SOAP  specification  is  maturing, 
applications  that  require  stringent  security,  such  as 
securities  trading,  continue  to  use  stronger  proto¬ 
cols,  such  as  electronic-business  XML  (ebXML). 

That  specification  is  a  collaborative  effort  of  an 
IBM-led  consortium,  the  Organization  for  the  Ad¬ 
vancement  of  Structured  Information  Standards 
(OASIS),  and  the  United  Nations.  That  group  is 
working  on  standards  for  authorization  and  access 
control,  said  Robert  Sutor,  IBM’s  director  of  e-busi- 
ness  standards  strategy. 

Emerging  in  the  next  few  months  will  be  a  road 
map  to  XML  security,  but  “it  will  take  coordination 
among  the  W3C,  OASIS  and  other  organizations  in 
a  way  we  haven’t  seen  before,”  Sutor  said. 

-  Sami  Lais 


SOAP 

An  XML-based 
protocol  that  passes 
messages  from  one 
software  component 
to  another  across  the 
Internet,  using  HTTP, 
SMTP  and  other 
standard  protocols. 
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Top  10 

Security 

Mistakes 

You  may  not  be  able  to  prevent 
serious  break-in  attempts,  but  you 
can  at  least  avoid  leaving  your  doors 
open  at  night.  By  Alan  S.  Horowitz 


People  regularly  lock 
their  houses,  demand 
airbags  in  their  vehicles 
and  install  smoke  alarms  in 
their  homes.  But  put  them 
in  front  of  a  computer,  and 
you’d  think  the  word  security 
was  magically  erased  from 
their  brains.  People  are  more 
careless  with  computers  than 
perhaps  any  other  thing  of  val¬ 
ue  in  their  lives.  The  reason  is  unclear, 
but  observers  agree  that  end  users  — 
and  even  some  IT  departments  —  can 
be  pretty  dumb  when  it  comes  to  pro¬ 
tecting  computers  and  their  contents. 

The  following  are  some  notable,  less- 
than-bright  errors  that  people  and  IT 
professionals  commit  when  it  comes  to 
computer  security: 

OThe  not-so-subtle  Post-it  Note.  Yes, 
those  sticky  yellow  things  can 
undo  the  most  elaborate  security 
measures.  Too  lazy  to  remember  their 
passwords,  users  place  them  where 
they  —  and  everyone  else  —  can  see 
them:  stuck  to  the  front  of  their  moni¬ 
tors.  Lest  you  think  this  is  so  obvious 
it’s  uncommon,  Garrett  Grainger,  vice 
president  of  information  systems  at  of¬ 
fice  supply  manufacturer  Dixon  Ticon- 
deroga  Co.  in  Heathrow,  Fla.,  estimates 
that  of  his  several  hundred  end  users, 
15%  to  20%  regularly  do  this. 


OWe  know  better  than  you.  You  may 

think  that  certain  security  mea¬ 
sures  are  necessary,  but  not  all  end 
users  agree,  which  leads  them  to  do  an 
end-run  around  you.  “People  blithely 
turn  things  off  they  think  have  a  good 
reason  to  bypass,”  notes  Frank 
Clark,  network  operations  cen¬ 
ter  manager  at  Thaumaturgix 
Inc.,  an  IT  consulting  firm  in 
New  York.  “Antivirus  software 
is  an  example.  They  think  it  slows 
down  their  machine.” 

O Leaving  the  machine  on,  unattended. 

Dan  Bent,  CIO  at  Benefits  Systems 
Inc.  in  Indianapolis,  says  he’s  amazed 
at  the  number  of  users  who  leave  their 
machines  on,  without  protection,  and 
walk  away.  Who  needs  a  password? 

O  Opening  e-mail  attachments  (remem¬ 
ber  the  Love  Bug  virus?)  from 
mere  acquaintances  or  even  strangers. 
This  one  drives  IT  managers  nuts. 
“Users  open  all  their  e-mail  attach¬ 
ments  before  thinking,”  says  Marie 
Phillips,  manager  of  information  se¬ 
curity  services  at  Amerisure  Mutual 
Insurance  Cos.  in  Farmington  Hills, 
Mich.  “We  tell  them  to  be  careful 
about  opening  notes  and  attachments 
from  strangers  or  when  they  get  the 
same  notes  from  several  people,  even 
those  they  know.” 


Poor  password  selection.  If  there’s  a 
bugaboo  among  security  experts, 
it’s  poorly  chosen  passwords.  Ken  Hill, 
vice  president  of  IT  at  General  Dynam¬ 
ics  Corp.  in  Falls  Church,  Va.,  recently 
attended  a  demonstration  with  about 
20  of  his  top  engineers  and  some  anti¬ 
hacking  experts  from  NASA.  Within  30 
minutes,  the  NASA  folks  broke  60%  of 
the  engineers’  passwords.  Paul  Raines, 
global  head  of  information  risk  man¬ 
agement  at  London-based  Barclays 
Capital,  recommends  that  users  take  a 
common  phrase  and  use  its  initials  for 
a  password.  For  example:  “I  pledge  alle¬ 
giance  to  the  flag”  becomes  “ipa2tf.” 
“That’s  a  difficult  password  to  break 
because  it’s  a  combination  of  letters 
and  numbers,”  says  Raines. 

©Loose  lips  sink  ships.  Clark  says 
people  often  talk  in  public  places 
about  things  they  shouldn’t.  “They  will 
say  at  a  bar,  ‘I  changed  my  password 
and  added  the  number  2,’  and  someone 
sitting  two  stools  down  hears  this. 
Some  things  you  just  shouldn’t  talk 
about  outside  the  office  environment,” 
says  Clark. 

Laptops  have  legs.  Everyone  knows 
how  common  it  is  for  laptops  to 
be  stolen  in  public  places,  but  Jay 
Ehrenreich,  senior  manager  at  Price- 
waterhouseCoopers  in  New  York,  says 


it’s  surprisingly  common  for  a  person 
to  leave  his  laptop  in  his  office,  unse¬ 
cured  and  unattended,  and  in  full  view 
of  passersby.  “These  things  walk,”  he 
warns.  Users  should  place  their  laptop 
securely  out  of  sight,  such  as  in  a 
locked  desk  drawer. 

O  Poorly  enforced  security  policies. 

The  best-designed  security  plans 
are  useless  if  IT  fails  to  rigorously 
enforce  them.  “If  these  things  aren’t 
enforced  by  the  system,  then  the  policy 
isn’t  useful,”  notes  Chris  Smith,  vice 
president  of  computer  information 
systems  at  EasCorp,  a  Woburn,  Mass.- 
based  provider  of  wholesale  financial 
services  to  the  credit  union  industry. 

©Failing  to  consider  the  staff.  “Your 
greatest  [security]  threat  is  from 
in-house,”  says  Hill.  Disgruntled  em¬ 
ployees  and  others  can  cause  enormous 
problems  if  they’re  not  properly  moni¬ 
tored.  IT  departments  should  do  a 
good  job  monitoring  incidents  and  have 
the  forensics  capabilities  to  be  able  to 
follow  problems  to  their  sources. 

Being  slow  to  update  security  in¬ 
formation.  “One  thing  we  see  all 
the  time  is  that  service  packs  are  not 
kept  up-to-date,”  says  Ehrenreich.  This 
creates  a  window  of  opportunity  for 
hackers.  I 
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With  a  European  com¬ 
puter  security  treaty 
ready  for  ratification, 

IT  managers  in  the  U.S. 
had  better  concern  them¬ 
selves  with  liability  and 
protection  issues. 

By  Deborah  Radcliff 


Information  technology  man¬ 
agers  fear  that  the  Council  of  Eu¬ 
rope’s  final  draft  of  a  controversial 
cybercrime  treaty,  which  was  ap¬ 
proved  by  the  council’s  European 
Committee  on  Crime  Problems 
last  month,  will  affect  their  businesses 
from  both  a  liability  and  a  security  per¬ 
spective. 

But  before  getting  all  worked  up 
over  liability  issues,  American  IT  lead¬ 
ers  need  to  remember  that  Eu¬ 
ropean  nation-states  are  behind 
the  U.S.  in  terms  of  cyberlegis¬ 
lation  and  law  enforcement,  ex¬ 
plains  Martha  Stansell-Gamm, 
chief  of  the  Computer  Crime  and  Intel¬ 
lectual  Property  Section  at  the  U.S.  De¬ 
partment  of  Justice  (DOJ).  Stansell- 
Gamm  was  the  DOJ’s  representative  in 
the  drafting  of  the  treaty.  The  U.S.  par¬ 
ticipated  because  it  has  observer  status 
within  the  Council  of  Europe. 

“We  already  have  many  treaties  —  bi¬ 
lateral  and  multilateral  —  on  law  en¬ 
forcement  matters  like  extradition,  mu- 
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tual  assistance,  money  laundering  and 
corruption,”  she  says.  “An  awful  lot  of 
what’s  going  into  this  treaty  is  not  new; 
this  just  combines  technology  and 
criminal  law  and  international  law.” 

Just  as  in  other  international  law 
enforcement  pacts,  the  primary  ob¬ 
jective  of  the  treaty  is  to  break  the 
bottlenecks  in  international  cyberin¬ 
vestigations,  says  Stansell-Gamm. 

For  example,  if  the  Philippines  had 
the  laws  in  place  to  become  a  signatory 
to  the  treaty,  the  creators  of  the  “I  Love 
You”  virus  may  have  been  brought  to 
trial  there.  But  at  the  time,  the  Philip¬ 
pines  had  no  laws  addressing  comput¬ 
er  crime,  and  the  U.S.  had  no  treaty 
agreement  with  Philippine  authorities 
to  continue  the  investigation,  so  the 
virus  writers  were  never  charged. 

“We  want  to  avoid  the  situation 
where  U.S.  networks  are  being  pound¬ 
ed  from  overseas  and  we  can’t  do  any¬ 
thing  about  it,”  Stansell-Gamm  says. 

Until  now,  domestic  law  enforce¬ 
ment  agencies  have  been  in  a  quandary 
over  international  cyberinvestigations. 
They’ve  tried  everything  from  training 
foreign  authorities  to  luring  a  cracker 
from  Russia  to  the  U.S.  and  then  trac¬ 
ing  his  cybertracks  back  to  his  server 
lair  and  downloading  the  contents  of 
that  server. 

Yet  despite  the  hope  that  the  treaty 
will  improve  the  ability  of  U.S.  corpo¬ 
rations  to  press  criminal  charges 
against  foreign  attackers,  the  American 
business  community  is  concerned 
about  a  number  of  substantive  laws 
that  treaty  participants  must  enact  if 
they  want  to  be  signatories.  In  particu¬ 
lar,  U.S.  firms  are  concerned  about  the 
following  potential  problems: 

■  Increased  corporate  liability. 

■  Granting  too  many  investigative 
powers,  to  the  detriment  of  corporate 
privacy. 

■  Making  the  distribution  and  sale  of 
hacking  tools  illegal. 

Among  these  concerns,  the  one 
voiced  loudest  by  corporate  managers 
is  the  potential  impact  for  businesses 
that  use  hacking  tools  to  test  the 
stealth  of  their  networks.  “Ping  could 
be  a  hacking  tool.  TraceRoute  [a  tool 
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■  See  more  about  the  treaty,  including 
i  the  actual  language,  discussions 
,  from  European  signatories  and 
.  private-sector  discussions. 

■  See  privacy  advocates' 
evaluation  of  U.S.  companies' 
preparation  for  the  treaty  and 
the  impact  the  treaty  will  have  on 

international  business.  Cyber¬ 
crime  links  are  at: 
www.computerworld.com/securitylinks 
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post  your  opinion  at: 
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used  for  IP  tracking]  could  be  a  hack¬ 
ing  tool.  How  do  you  define  a  hacking 
tool?”  asks  Frank  Clark,  network  opera¬ 
tions  manager  at  Thaumaturgix  Inc.,  a 
hosting  and  IT  services  firm  in  New 
York.  “The  people  making  these  laws 
don’t  know  what  a  hacking  tool  is.  And 
to  outlaw  the  wrong  tools  could  make 
it  impossible  for  me  to  do  my  job  test¬ 
ing  my  network.” 

Mark  Rasch,  vice  president  of  cyber¬ 
law  at  Predictive  Systems  Inc.,  a  tech 
consultancy  in  New  York,  says  such  re¬ 
strictions  could  also  violate  First 
Amendment  rights  to  free  speech. 

This  particular  concern  isn’t  being 
driven  by  the  language  in  the  treaty 
document  itself,  but  in  a  preamble 
press  release  published  when  the  draft 
first  went  online  in  April  2000.  The  re¬ 
lease  stated,  “The  draft  provides  for  the 
co-ordinated  criminalisation  of  com¬ 
puter  hacking  and  hacking  devices,” 
without  going  into  further  detail. 

“The  real  problem  we  have  is  the 
document  doesn’t  address  intent,”  says 
Lisa  Norton,  an  attorney  for  Internet 
Security  Systems  Inc.  (ISS)  in  Atlanta. 
Norton  lobbied  against  the  outlawing 
of  hacking  tools  because  such  laws 
could  put  tools  vendors  such  as  ISS  out 
of  business. 

Fortunately,  both  the  April  and  De¬ 
cember  2000  treaty  drafts  clearly  state 
that  hacking  tools  are  illegal  only  if 
used  “for  the  purpose  of  committing 
offences  established  in  Articles  2-5” 
(see  list  at  right).  The  December  treaty 
draft  includes  additional  provisions  al¬ 
lowing  legitimate  use  of  hacking  tools. 

Other  IT  professionals  who  have 
carefully  read  the  document  say  they 
feel  that  the  treaty  clearly  addresses 
the  issue  of  intent  and  the  legitimate 
use  of  hacking  tools.  “I  spent  15  years  as 
an  attorney,  and  I  do  know  ambiguous 
language.  This  [treaty  draft]  is  some¬ 
thing  we’re  comfortable  with,”  says 
Mitch  Demblin,  program  director  for 
the  cyberattack  team  at  Exodus  Com¬ 
munications  Inc.  in  Santa  Clara,  Calif.  I 


The  European 
Cybercrime  Treaty 

The  29-page  Draft  Convention  on  Cyber-crime  (http://conventions.coe.int/treaty/ 
EN/cadreprojets.htm)  is  an  international  law  enforcement  treaty  draft 
spearheaded  by  the  Council  of  Europe  that  attempts  to  define  cybercrime 
and  attach  substantive  criminal  penalties.  As  a  potential  signatory  to  the 
treaty,  the  U.S.  has  participated  in  its  drafting  through  the  Commerce  and 
Justice  departments.  U.S.  corporate  interests  have  been  represented  in 
treaty  development  by  meeting  with  the  U.S.  contingent  over  the  past  year. 

FACTS  ABOUT  THE  TREATY 

■  As  of  May,  there  were  25  versions  of  the  draft. 

■  European  legislative  work  in  the  area  of  cybercrime  actually  began  back  in  the  mid-’80s. 

■  The  treaty  should  be  ready  to  ratify  by  the  end  of  this  year. 

■  The  U.S.,  along  with  eight  other  nations,  including  Japan,  Canada  and  South  Africa,  has 
been  invited  to  be  a  signatory  to  the  treaty  once  it’s  ratified. 

■  To  be  a  signatory,  a  country  must  first  apply  its  own  “substantive”  (i.e.,  criminal)  laws. 

■  Articles  would  regulate: 


o 

Illegal  access 

o 

Computer-related  forgery 

G 

Illegal  interception  of 

0 

Computer-related  fraud 

electronic  communications 

o 

Child  pornography 

O 

Data  interference 

o 

Copyright 

O 

System  interference 

0 

Aiding  or  abetting 

0 

Misuse  of  devices 

o 

Corporate  liability 

■  The  rest  of  the  document  covers  procedural,  investigative  and  mutual  assistance, 
jurisdiction,  extradition  and  information-sharing  issues. 

■  This  is  the  first  time  the  Council  of  Europe  has  opened  legislative  development  to  public 
scrutiny  by  posting  it  on  the  Web. 

■  On  June  22,  the  cybercrime  treaty  was  adopted  by  the  standing  committee  that  drafted 
it.  It's  now  being  conveyed  to  the  43  member  nation-states  of  the  Council  of  Europe, 
which  will  decide  on  ratification  by  the  end  of  the  year. 


ARTICLE  6  -  MISUSE  OF  DEVICES  ^ 

0  Each  Party  shall  adopt  such  legislative  and  other  measures  as  may  be  necessary  to 
establish  as  criminal  offences  under  its  domestic  law,  when  committed  intentionally  and 
without  right: 

a.  the  production,  sale,  procurement  for  use,  import,  distribution  or  otherwise 
making  available  of: 

1.  a  device,  including  a  computer  program,  designed  or  adapted  primarily  for 
the  purpose  of  committing  any  of  the  offences  established  in  accordance  with 
Article  2-5; 

2.  a  computer  password,  access  code,  or  similar  data  by  which  the  whole  or 
any  part  of  a  computer  system  is  capable  of  being  accessed  with  intent  (13) 
that  it  be  used  for  the  purpose  of  committing  any  of  the  offences  established 
in  Articles  2-5;  and 

b.  the  possession  of  an  item  referred  to  in  paragraphs  (a)(1)  or  (2)  along  with  intent 
that  it  be  used  for  the  purpose  of  committing  any  of  the  offences  established  in 
Articles  2-5.  A  Party  may  require  by  law  that  a  number  of  such  items  be  possessed 
before  criminal  liability  attaches. 

0  This  article  shall  not  be  interpreted  as  imposing  criminal  liability  where  the  production, 
sale,  procurement  for  use,  import,  distribution  or  otherwise  making  available  or 
possession  referred  to  in  paragraph  1  of  this  Article  is  not  for  the  purpose  of  committing 
an  offence  established  in  accordance  with  articles  2  through  5  of  this  Convention,  such 
as  for  the  authorised  testing  or  protection  of  a  computer  system. 

o  Each  Party  may  reserve  the  right  not  to  apply  paragraph  1  of  this  Article,  provided  that  the 
reservation  does  not  concern  the  sale,  distribution  or  otherwise  making  available  of  the 
items  referred  to  in  paragraph  1  (a)  (2). 
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Intrusion  detection 
systems  are  getting 
smarter,  but  sorting 
real  attacks  from  false 
alarms  takes  planning. 
By  Steve  Ulfelder 


RISK 


When  ecampus.com  first  installed  an 
intrusion-detection  system  (IDS),  the 
alerts  were  unnerving.  “For  the  first 
few  attacks,  we  came  unglued.  We 
said,  ‘We’d  better  sit  in  front  of  those 
monitors  all  day,’  ”  says  Brent  Tuttle, 
chief  technology  officer  at  the  Lexington,  Ky.-based 
college  supplies  retailer  and  online  community. 

That’s  not  an  uncommon  reaction,  users  say,  because 
the  sheer  number  of  alerts  can  be  overwhelming. 

Although  an  IDS  should  be  part  of  any  enterprise’s 
security  toolbox,  users  and  analysts  stress  that  the 
technology  is  no  panacea.  Because  such  systems  are 
reactive  by  nature,  they’re  always  one  step  behind 
attackers.  False  positives  can  cause  unnecessary 
scrambling,  while  the  signature  updates  that  make 
an  IDS  effective  against  new  attacks  aren’t  frequent 
enough,  users  say.  And  as  Ecampus.- 
com  discovered,  implementing  an 
IDS  suddenly  increases  the  aware¬ 
ness  of  access  attempts  —  although 
many  may  be  harmless. 

Managers  should  create  notification  and  escalation 
policies  that  answer  the  question:  Now  that  we’ve 
got  all  this  information,  what  are  we  going  to  do 
with  it?  In  an  effort  to  ease  this  burden,  vendors  are 
developing  smarter,  more  active  systems  that  ignore 
harmless  threats  and  have  decision-support  mecha¬ 
nisms  that  let  users  respond  to  the  serious  ones. 

It’s  critical  to  define  an  instant-response  policy 
before  firing  up  the  IDS,  users  say.  These  policies 
lay  out  how  to  respond  to  different  types  of  attacks, 
including  the  people  to  notify  and  in  what  order. 

Tuttle  says  Ecampus.com  had  two  top  priorities  in 
mind  when  it  shopped  for  an  IDS.  It  needed  to  be  ef¬ 
fective  against  students,  who  have  plenty  of  free  time, 
and  it  needed  to  be  automated  so  the  IT  staff  could 
focus  on  other  tasks.  The  firm  settled  on  Intruder 
Alert  from  Symantec  Corp.  in  Cupertino,  Calif. 

After  a  few  months  of  overreacting  to  false  posi¬ 
tives,  Tuttle  called  in  Symantec  consultants,  who 
educated  the  staff  on  which  attacks  were  significant 
and  those  that  weren’t,  until  he  had  “a  comfort  level 
that  we  were  locked  down  as  tight  as  we  can  be,” 
Tuttle  says. 

Ecampus.com  also  “developed  an  escalation  policy 
so  that  if  there’s  a  [denial-of-service  attack]  or  a 
server  down,  the  first  calls  go  to  the  responsible 
engineers,  then  I’m  notified,”  Tuttle  says. 

An  IDS  can  free  up  staff  time  and  eliminate  some 
drudgery,  but  sometimes  there’s  no  substitute  for  the 
human  eye.  That  lesson  was  recently  brought  home 
to  John  Steensen,  vice  president  and  chief  technical 
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officer  at  Intira  Corp.,  a  Pleasanton,  Calif.-based 
infrastructure  outsourcer  that  counts  among  its 
customers  the  online  community  Military.com. 

In  April,  when  pro-Chinese  attacks  beset  U.S. 
businesses,  “Military.com’s  load  went  from  4%  to 
74%  [of  capacity],”  Steensen  says.  The  traffic  increase 
didn’t  trigger  any  IDS  alarms,  but  an  Intira  network 
engineer  “saw  it  just  didn’t  look  right”  and  notified 
Military.com,  he  says.  For  businesses  where  securi¬ 
ty  is  critical,  hiring  and  retaining  skilled  staff  makes 
sense.  “We  know  attacks  are  going  to  happen  no  mat¬ 
ter  what  the  technology,”  Steensen  says.  “You  still 
need  a  good  human  being  behind  [the  IDS].” 

Enterprise  IT  departments  are  increasingly  using 
hybrid  systems  —  a  combination  of  network-  and 
host-based  tools.  A  network-based  IDS  detects 
attacks  upfront,  according  to  Michael  Rasmussen,  a 
senior  analyst  at  Giga  Information  Group  Inc.  in 
Cambridge,  Mass.  “It’s  especially  good  at  scans 
around  the  perimeter,”  he  says.  A  host-based  system 
detects  changes  to  an  individual  server’s  hard  drive 
and  thus  serves  as  a  backup  to  a  network-based  IDS. 
They  also  catch  internal  abuse,  which  is  statistically 
more  likely  than  an  external  attack. 

Intira  uses  Symantec’s  Intruder  Alert  as  its  host- 
based  IDS  on  each  server,  with  the  network-based 
Cisco  Secure  IDS  from  Cisco  Systems  Inc.  “We 
deploy  inside  and  outside  the  firewall  so  we  can  see 
all  port  scans  and  attacks,”  Steensen  says. 

Because  Intira’s  staff  interprets  attacks,  Steensen 
says,  the  company  makes  little  use  of  automatic  shun¬ 
ning,  a  popular  IDS  feature  that  can  block  addresses 
associated  with  malicious  activity.  On  the  other 
hand,  “if  you’re  running  an  unattended  operation,  > 
you’d  want  to  configure  [your  IDS]  to  be  more  J 
automatic,”  and  shunning  makes  more  sense,  he 
says.  But  while  organizations  that  shun  traffic 
require  fewer  staffers  to  monitor  the  IDS,  they 
may  inadvertently  turn  away  legitimate  users.  ^ 

In  both  staffing  and  technology,  using  an  IDS  is  ^ 
a  balancing  act.  On  the  technology  side,  new  IDS 
users  often  “turn  the  volume  way  up,  then  catch  too 
many  false  [positives  ]  —  then  turn  the  squelch 
down  to  zero”  —  and  attacks  slip  through,  says  Peter 
Lindstrom,  an  analyst  at  Framingham,  Mass.-based 
Flurwitz  Group  Inc. 

Analysts  and  vendors  say  future  systems  will 


include  better  user  interfaces  and  features  to  help  IT 
managers  sort  the  false  alarms  from  the  true  threats. 
Vendors  are  already  beginning  to  address  another 
issue:  more  automated  and  timely  signature  updates. 
Cisco  recently  started  pushing  signature  updates  out 
to  users  of  its  Secure  IDS  product. 

Atlanta-based  Internet  Security  Systems  Inc.’s  new 
release  of  RealSecure  bundles  traditional  network- 
and  host-based  IDS  tools  with  the  blocking  of  active 
content  (such  as  executable  e-mail  attachments)  and 
malicious-code-scanning  software  with  a  single  in¬ 
formation-user  interface. 

Analysts  say  that  vendors  must  also  improve  their 
IDS  performance.  Such  systems  are  an  enterprise’s 
first  line  of  defense  and  make  tempting  targets  for 
would-be  intruders.  Rasmussen  says  IDS-specific 
attacks  have  gained  in  popularity  during  the  past 
year.  One  method  attackers  use  is  to  swarm  the  sys¬ 
tem  with  false  positives  in  the  hope  that  exasperated 
security  personnel  will  shut  off  the  IDS. 

Rasmussen  adds  that  in  denial-of-service  attacks, 
most  detection  systems  “fail-open”  —  that  is,  they 
stop  functioning  but  don’t  shut  down  the  rest  of  the 
network,  leaving  the  network  vulnerable. 

Ultimately,  IT  managers  should  view  an  IDS  as  an¬ 
other  security  tool  whose  value  correlates  to  the  wis¬ 
dom  and  resources  with  which  it  is  used.  As  Jeff  Us- 
lan,  director  of  information  protection  at  Los  Ange¬ 
les-based  Sony  Pictures  Entertainment  says,  the  key 
to  IDS  is  “not  what  it’ll  detect,  but  how  you’ll  use  it.”  I 

Ulfelder  is  a  freelance  writer  in  Southboro,  Mass. 

Contact  him  at  sulfelder@charter.net. 


fyaar,  MORE  IN  DEPTH  STORIES 

I  ’  ffw'  ■Outsourcing  IDS:  It  requires  less  investment  up- 

i  *  j  ^  I  front,  but  it  may  not  be  less  expensive  in  the  long  run. 

TTrfTf^^-  And  trusting  a  third  party  requires  a  leap  of  faith.  Is  it 

UiLLLffk  foryou? 

■  IDS  products  can  cost  from  several  hundred  to  many 
“  f  ^  '  thousands  of  dollars.  Our  online  summary  of  IDS  products 

and  pricing  gives  you  the  basics. 

www.computerworld.com/securityonline 

IN  DEPTH  RESEARCH  ON  INTRUSION  DETECTION 

■  This  influential  paper  by  Thomas  Ptacek  lays  out  all  the  flaws  of 
IDSs  and  sent  vendors  scrambling  to  address  them.  Have  you  read  it 
yet?  www.cw.com/securitylinks. 


An  Ounce 
Of  Intrusion 
Prevention 

Host-based  IDSs  tend  to  rely  on  signatures  -  the  code¬ 
string  fingerprints  of  a  known  attack  -  to  trigger  alerts. 
The  trouble  is,  hackers  create  new  attacks  every  day. 

If  they  attack  an  organization  using  a  technique  that's 
not  in  the  database  of  the  IDS,  the  company  is  vulnera¬ 
ble.  In  response,  vendors  are  offering  products  that  look 
for  suspicious  activity  and  proactively  block  those  po¬ 
tential  attacks.  Here’s  a  sampling  of  offerings: 

■  Entercept  Security  Technologies 

San  Jose 

( www.  entercept.  com) 

Entercept  Security  Technologies’  Entercept  2.0 
consists  of  a  software  agent  that  resides  near  the  host’s 
operating  system  kernel.  It  monitors  system  calls  before 
they  reach  the  kernel,  uses  a  rules  engine  to  identify 
potentially  suspicious  activity  and  then  either  halts  the 
activity  or  notifies  the  administrator. 

■  Recourse  Technologies  Inc. 

Redwood  City,  Calif. 

(www.recourse.com) 

Recourse  Technologies  Inc.  offers  ManHunt,  which 
performs  the  duties  of  a  traditional  IDS  and  uses  an  ap¬ 
proach  similar  to  Entercept’s  to  identify  new  attacks. 

The  drawback:  Some  legitimate  activities  in  an 
organization  may  trip  these  systems.  The  staff  will 
then  need  to  define  exceptions.  Otherwise,  the  organi¬ 
zation  could  wind  up  suffering  too  many  false  positives. 

“These  things  are  good  for  big  hosting  facilities, 
telcos  and  maybe  financial  [services  firms],”  says  Hur- 
witz  Group  analyst  Peter  Lindstrom,  because  security 
is  so  vital  to  such  organizations  and  attacks  are  so 
common. 

-  Steve  Ulfelder 
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Profile 

NAME:  Patrick  Lim 
TITLE:  Computer  forensics  examiner 
ORGANIZATION:  Regional  Computer 
Forensics  Laboratory,  San  Diego 
NATURE  OF  HIS  WORK:  Collects  and  ana¬ 
lyzes  computer-related  evidence  in  crimi¬ 
nal  investigations 

SKILLS  NEEDED:  Lim  says  a  combination 
of  investigative  and  IT  skills  is  key. 
SALARY  POTENTIAL:  In  law  enforcement. 
$50,000  to  $70,000;  in  private  compa¬ 
nies  and  consulting  firms,  computer  foren¬ 
sic  examiners  can  make  up  to  twice  that. 
CAREER  PATH:  Computer  forensics  skills 
could  lead  to  jobs  in  law  enforcement 
agencies  or  in  the  private  sector,  where 
demand  for  forensics  experts  is  growing. 
ADVICE:  Consider  getting  a  certification, 
like  that  offered  by  the  FBI’s  Computer 
Analysis  and  Response  Team  program. 


SOUTH  DAKOTA, 1999.  A 

woman  is  found  drowned 
in  her  bathtub.  An  autopsy 
shows  a  high  level  of  the 
sleeping  pill  Temazepam 
in  her  bloodstream. 

It  looks  like  a  suicide  —  that  is,  until 
investigators  take  a  close  look  at  her 
husband’s  computer.  Turns  out  he’s 
been  researching  painless  killing  meth¬ 
ods  on  the  Internet  and  taking  notes 
on  sleeping  pills  and  household  clean¬ 
ers.  Armed  with  that  evidence,  prose¬ 
cutors  are  eventually  able  to  put  him 
behind  bars. 

Law  enforcement  agencies  across 
the  country  are  realizing  that  comput¬ 
er-related  evidence  is  valuable  in 
catching  all  kinds  of  criminals,  not  just 
hackers. 

That’s  why  they’re  scrambling  to 
hire  and  train  officers  skilled  in  com¬ 
puter  forensics,  the  discipline  of  col¬ 
lecting  electronic  evidence. 

In  the  corporate  world,  demand  for 
these  IT  sleuths  is  increasing,  as  well. 
They  usually  work  as  consultants.  For 
example,  a  company  might  call  a  foren¬ 
sics  examiner  in  to  investigate  how  a 
hacker  got  into  an  IT  system  or  to  find 
out  which  employee  walked  off  with 
confidential  files. 

But  whether  he  works  for  law  en¬ 
forcement  or  the  business  world,  a 
computer  forensics  examiner  must  be 


high  demand  in  both  worlds  for  years 
to  come. 

The  investigator:  Patrick  Lim,  com¬ 
puter  forensics  examiner  at  the  Re¬ 
gional  Computer  Forensics  Laboratory 
(RCFL)  in  San  Diego 

Previous  experience:  Lim  has  been  a 
special  agent  at  the  Washington-based 
U.S.  Naval  Criminal  Investiga¬ 
tive  Service  (NCIS)  for  the 
past  17  years.  But  it  was  only 
about  four  years  ago,  when  he 
was  transferred  to  the  NCIS’s 
Computer  Investigations  and  Opera¬ 
tions  unit,  that  his  career  took  a  turn 
into  the  world  of  IT. 

In  January  of  last  year,  Lim  helped 
launch  the  RCFL,  a  task  force  that 
pools  the  computer  forensics  re¬ 
sources  of  several  law  enforcement 
agencies  in  the  San  Diego  area. 

Lim  says  all  examiners  at  the  RCFL 
must  have  strong  investigative  and 
problem-solving  skills,  as  well  as  a  sol¬ 
id  foundation  in  operating  systems  and 
computer  imaging. 

Responsibilities:  Lim  spends  much 
of  his  time  working  on  cases  that 
directly  involve  computers,  like 
child  pornography  on  the  Web  or 
Internet  fraud.  Increasingly,  though, 
all  kinds  of  cases  involve  computers, 
he  says.  “In  the  past,  people  thought 
that  computer  forensics  applied  strict¬ 
ly  to  computer  crimes,”  says  Lim.  “But 
since  computers  are  now  such  a  part  of 
everyday  life,  we’re  finding  that  almost 
every  crime  at  some  point  touches  a 
computer." 


able  to  thoroughly  scour  an  IT  system 
for  evidence  while  following  a  strict 
protocol,  so  that  the  evidence  can  be 
used  in  a  court  of  law. 

We  talked  to  one  forensics  examiner 
with  exactly  that  set  of  skills  —  the 
kind  of  employee  who’s  sure  to  be  in 


For  example,  at  the  site  of  a  bank 
robbery,  investigators  recovered  de¬ 
mand  notes  that  were  written  using  a 
notepad  application.  Examining  one 
suspect’s  computer,  Lim  found  that  the 
thief  had  been  careful  to  delete  the 
files.  Looking  deep  into  the  hard  drive, 
however,  Lim  was  able  to  find  copies 

of  the  notes  that  were  automat¬ 
ically  made  by  the  printer. 

No  matter  what  the  nature 
of  the  case,  it’s  essential  to 
leave  all  of  the  evidence  exact¬ 
ly  as  it  was  found  —  “just  like  a  crime 
scene,”  says  Lim.  For  that  reason, 
forensics  examiners  never  work  di¬ 
rectly  on  suspects’  computers.  Instead, 
they  use  computer  imaging  to  make  a 
complete  bitstream  copy  of  an  entire 
machine,  and  they  then  comb  the  copy 
for  whatever  incriminating  evidence 
they  can  find.  I 


Tobias  is  a  freelance  writer  in  Santa 
Cruz,  Calif 


MORE  IN  DEPTH  STORIES 

■  Advice  from  former  Air  Force 
regional  crime  investigator 
Jose  Granado  on  howto 
launch  a  private-sector  career 
incomputerforensics. 

■  And  see  our  chart  on  top-paying 
regions  and  industries  for  IT  security 
professionals. 

www.computerworid.com/securityonline 
COMPUTERWORLD  ONLINE  COMMUNITIES 

Get  advice  from  your  peers,  offer  your  own  tips  or 
post  your  opinion  at: 

www.computenvorld.com/security 
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Computers  are  playing  a  major 
role  in  an  increasing  number  of 
real-world  crimes,  fueling  a  need 
for  investigators  with  strong  tech¬ 
nology  skills.  By  Zachary  Tobias 
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Manager  Offers  Primer 
On  Computer  Forensics 


Vince’s  company  is  loath  to  prosecute  attackers ,  but 
gathering  computer  evidence  is  still  part  of  the  job 


BY  VINCE  TUESDAY 

ENTION  THE  WORD 
forensics,  and  I  imag¬ 
ine  rubber  gloves  and 
Dana  Scully  conduct¬ 
ing  autopsies  in  The 
X-Files.  Thankfully,  when  applied  to 
computers  in  general,  forensics  is  less 
smelly  and  less  likely  to  involve  extra¬ 
terrestrial  life. 

An  increasing  number  of  criminal 
investigations  these  days 
include  evidence  extracted 
from  computers.  However, 
because  of  the  imperma¬ 
nence  of  digital  data  and 
the  ease  with  which  evi¬ 
dence  can  be  manufac¬ 
tured,  evidence  has  to  be 
obtained  with  great  care. 

We  have  many  thou¬ 
sands  of  computers  in  our 
company  that  are  potential 
targets  for  criminal  activ¬ 
ity.  Hackers  may  try  to  gain 
access  to  confidential  data 
over  the  Internet.  Insiders 
may  try  to  modify  expense 
claims  after  they’ve  been 
approved. 

Most  of  our  efforts  are 
spent  trying  to  stop  this  from  succeed¬ 
ing,  but  sometimes  attacks  slip  past  our 
defenses.  Also,  computers  can  be  used 
as  tools  of  crime,  as  when  staffers 
download  pornography  from  the  Web 
or  send  our  customer  lists  to  their 
new  employer  by  e-mail  just  before 
they  quit. 

Gathering  the  Evidence 

When  our  computers  become  the 
targets  of  a  crime,  we  must  gain  access 
to  the  systems  to  verify  that  a  crime  has 
been  committed.  Once  we  know  it  isn’t 
a  false  alarm,  we  collect  digital  evi¬ 
dence  to  determine  the  scope  of  the 
crime.  An  accurate  record  of  what  has 
happened  allows  us  to  recover,  repair 
and  learn  from  the  past.  And  if  we  col¬ 
lect  evidence  carefully,  we  can  use  it  in 


court.  If  we  handle  the  data  without  fol¬ 
lowing  the  correct  procedures,  how¬ 
ever,  there’s  nothing  we  can  ever  do  to 
produce  admissible  evidence. 

Practically  speaking,  we’re  unlikely 
to  present  such  evidence  in  court.  Like 
most  financial  services  organizations, 
we  prefer  not  to  drag  our  security  prob¬ 
lems  through  the  justice  system.  But 
when  we  start  investigating,  we  can’t  be 
sure  that  we  won’t  uncover  something 
that  requires  prosecution 
or  that  we  could  use  to 
defend  ourselves  from  a 
liability  suit. 

Courts  require  the  high¬ 
est  standards  of  computer 
evidence.  Increasingly,  the 
tribunals  used  to  resolve 
disputes  between  staff  and 
company,  such  as  wrongful 
dismissal  cases,  require  the 
same  level  of  evidence. 

When  a  member  of  our 
staff  uses  one  of  our  com¬ 
puters  to  commit  a  crime, 
digital  forensics  are  the 
only  way  we  can  prove 
wrongdoing. 

Our  main  forensic  tool 
is  EnCase  software  from 
Guidance  Software  Inc.  in  Pasadena, 
Calif.  It  allows  us  to  boot  up  off  of  a 
floppy  disk  and  copy  a  hard  disk  byte  by 
byte.  The  methodology  it  uses  is  admis¬ 
sible  in  court.  Guidance  Software  also 
offers  several  tools  for  searching  and 
extracting  evidence. 

In  today’s  world  of  very  large  local 
disk  drives,  network  storage,  personal 
digital  assistants  and  mobile  devices, 
trying  to  find  data  can  seem  like  hunt¬ 
ing  for  a  needle  in  a  haystack.  User 
behavior  helps  narrow  this  down.  Most 
users  seem  to  feel  that  their  local  drives 
are  safer  than  the  network.  They  seem 
to  believe  that  we  have  enough  time 
and  resources  to  check  only  the  net¬ 
work  drives  for  questionable  material. 

This  belief  makes  our  investigations 
simpler.  A  simple  local  disk  search  usu¬ 


ally  uncovers  all  the  evidence  we  need. 
And  since  local  drives  are  less  busy 
than  network  drives,  deleted  files  are 
less  likely  to  have  been  overwritten. 

Cheap  and  available  encryption  may 
be  a  brief  hindrance  for  the  feds,  but  for 
us,  it  draws  an  impenetrable  veil  across 
the  data,  unless  our  users  have  chosen 
easy-to-crack  WinZip  compression  or 
Microsoft  Office  encryption.  Luckily, 
our  policy  prohibits  staff  from  using 
encryption  without  providing  a  key, 
so  disciplinary  charges  can  be  brought 
without  us  having  to  break  the  code. 

I’ll  bet  a  good  many  readers  are  jump¬ 
ing  up  and  down  about  free  speech  and 
the  right  to  privacy.  I  assure  you  that 
our  staffers  can  afford  home  systems 
with  Internet  access,  and  that’s  the 
place  for  them  to  exercise  those  rights. 
We  explain  clearly  to  all  staff  that  they 
should  have  no  expectation  of  privacy 
when  using  work  systems. 

Wrongfully  Accused 

While  forensics  evidence  can  impli¬ 
cate  users,  it  can  also  clear  them 
from  suspicion.  Recently,  a  disgruntled 
worker  was  suspected  of  hacking  our 
internal  systems.  Management  called 
us  in  to  provide  the  digital  evidence 
to  sack  him  with  no  danger  of  a  wrong¬ 
ful  dismissal  suit. 

We  carried  out  a  3  a.m.  black-bag  job 
on  his  machine,  carefully  taking  digital 
photos  of  his  desk  and  machine  so  that 
we  could  restore  everything  without 
alerting  suspicion.  We  quickly  took  his 
machine  to  our  lab.  Within  a  few  hours, 
we  had  dismantled  the  machine,  taking 
care  not  to  disturb  the  dust  on  the  out¬ 
side.  We  added  a  second  disk 
to  hold  the  evidence  and  booted  the 
machine  from  the  EnCase  floppy  disk. 
We  carefully  made  an  exact  copy  of  the 
disk,  returned  the  machine  and  retired 
to  the  lab  to  examine  the  results. 

When  we  return  from  such  a  mission, 
we  always  check  all  the  tools  we  used, 
like  surgeons  in  an  operation,  to  make 
sure  we  haven’t  left  anything  in  the 
patient.  This  time,  we  couldn’t  find 
the  boot  floppy.  A  swift  return  to  the 
alleged  crime  scene  recovered  the 
offending  disk.  How  foolish  would  we 
have  looked  when  the  suspect  booted 
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GLOSSARY 

Computer  forensics:  The  investiga¬ 
tion  of  computer  crime,  including  the 
collection,  analysis  and  presentation  in 
court  of  electronic  evidence. 

Black-bag  job:  Slang  for  the  surrep¬ 
titious  entry  into  an  office  to  obtain  files 
or  materials. 

LINKS 

www.usdoj.gov/criminal/ 

cybercrime/search_docs/toc.htm: 

This  Web  page,  “Federal  Guidelines 
for  Searching  and  Seizing  Computers,” 
includes  the  U.S.  government’s  policy  for 
collecting  computer  evidence.  Designed 
for  federal  agencies,  it’s  also  a  useful 
resource  to  learn  the  correct  procedures 
to  follow  when  gathering  evidence. 

www.guidancesoftware.com/ 
html/index.html:  Guidance  Soft¬ 
ware’s  Web  site  includes  information 
on  its  EnCase  digital  forensic  software, 
hardware  and  training  services. 

www.sans.org/infosecFAQ/ 
incident/forensics.htm:  This  paper 
by  Dorothy  A.  Lunn,  at  the  Web  site  of 
Bethesda,  Md.-based  SANS  Institute, 
offers  an  excellent  introduction  to  com¬ 
puter  forensics,  including  references  to 
an  array  of  products,  training  resources 
and  additional  reading. 


his  machine  the  next  morning,  only  to 
be  greeted  by  a  “Welcome  to  EnCase 
forensic  solutions”  screen?  Fortunately, 
attention  to  detail  averted  that  disaster. 

Sometimes,  even  we  jackbooted  pri¬ 
vacy  invaders  can  actually  help  some¬ 
one  clear  his  name.  With  careful  analy¬ 
sis,  we  were  able  to  show  that  this  par¬ 
ticular  user’s  machine  and  the  use  of 
software  on  it  were  legitimate.  We  went 
through  it  so  closely  that  we  could  see 
the  pornographic  images  downloaded 
three  users  back.  Our  forensic  evidence 
was  enough  to  overturn  the  circum¬ 
stantial  evidence  against  him. 

Some  readers  may  disagree  with  our 
methods,  but  the  results  speak  for  them¬ 
selves.  I  welcome  your  comments  in  the 
Security  Manager’s  Journal  forum.  ) 


MOREONLINE 


For  more  on  the  Security 
Manager's  Journal,  including  past  journals,  visit 

www.computerworld.com/securitymanager 


*  This  week’s  journal  is  written  by  a  real  security  manager,  “  Vince  Tuesday,"  whose  name  and  employer  have  been  disguised  for  obvious  reasons.  Contact  him  at  vince.tuesday@hushmail.com  or  go  to  the  Security  Manager's  Journal  forum. 
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PKI  networks  promise  to  make 
online  transactions  safer.  Trouble 
is,  they’re  hard  to  build,  so  few 
bother.  But  that  may  be  changing. 
By  Jaikumar  Vijayan 

PUBLIC-KEY  INFRASTRUCTURES 
(PKI)  that  create  the  ability 
to  maintain  privacy,  authen¬ 
ticate  users,  protect  the  in¬ 
tegrity  of  data  and  execute 
transactions  without  the  risk 
of  repudiation  have  long  held  the 
promise  that  they  could  make  online 
transactions  safer. 

But  corporations  need  to  have  a 
clear  understanding  of  what  they  want 
to  do  with  the  technology  and  be  pre¬ 
pared  to  face  up  to  thorny  integration, 
interoperability  and  legal  issues  if  they 
are  to  see  any  of  that  promise  fulfilled, 
users  and  analysts  say. 

“PKI  in  and  of  itself  means  nothing,” 
says  Steve  Ellis,  executive  vice  presi¬ 
dent  of  San  Francisco-based  Wells  Far¬ 
go  &  Co.’s  Wholesale  Internet  Solu¬ 
tions  group. 

For  PKI  to  be  relevant,  “you  have  to 
first  think  through  what  identity  man¬ 
agement  means  for  the  way  your  busi¬ 
ness  operates,”  says  Ellis.  “You  need  to 
know  what  your  critical  [information] 
assets  are  and  figure  out  when  to  im¬ 
plement  a  digital  authentication  strate¬ 
gy  as  opposed  to  [another  means  of  au¬ 
thentication].” 


A  PKI  infrastructure  consists  of  ded¬ 
icated  hardware,  software,  data  trans¬ 
port  mechanisms,  smart  cards  and  ap¬ 
plications,  along  with  governing  poli¬ 
cies  and  protocols,  that  companies  can 
use  to  establish  a  high  level  of  trust 
when  carrying  out  online  transactions. 

The  following  components  lie  at  the 
core  of  PKI-enabled  services: 

■  A  certificate  authority  (CA)  that  ver¬ 
ifies  an  applicant’s  identity  and  issues 
a  digital  certificate,  or  electronic  iden¬ 
tification,  containing  a  public  key  to 
encrypt  and  decrypt  messages  and  dig¬ 
ital  signatures. 

■  A  registration  authority  that  checks 
the  credentials  of  individuals  applying 
for  digital  certificates. 

■  Data  repositories  for  storing  the  cer¬ 
tificates. 

If  deployed  successfully, 
such  infrastructures  can 
provide  the  basis  for  se¬ 
curely  conducting  a  wide 
range  of  online  activities 
using  electronic  IDs,  electronic  signa¬ 
tures  and  encryption. 

Wells  Fargo,  for  instance,  has  begun 
testing  a  new  PKI-enabled  business-to- 
business  service  that  lets  businesses  ne¬ 
gotiate,  purchase  and  pay  for  goods  on¬ 
line  in  real  time,  in  a  nonrepudiable 
manner  using  digital  IDs.  The  company 
acts  as  a  CA  and  issues  digital  certifi¬ 
cates  that  customers  use  as  electronic 
IDs  while  conducting  business-to-busi- 
ness  transactions. 

But  formidable  challenges  stand  in 
the  way,  users  and  analysts  say. 

For  one  thing  PKIs  are  costly  and 
complex  to  implement.  They  provide  a 


mechanism  for  secure  online  transac¬ 
tions,  but  a  lot  of  their  success  de¬ 
pends  on  human  processes. 

For  example,  just  because  someone 
has  an  electronic  ID  doesn’t  mean  that 
person  is  who  he  claims  to  be.  A  lot  de¬ 
pends  on  the  rigor  applied  by  the  CA 
in  identifying  and  authenticating  users 
and  in  controlling  their  access  to  ser¬ 
vices  based  on  their  user  profiles. 

The  U.S.  Postal  Service,  for  instance, 
offers  a  PKI-enabled  service  called 
NetPost.Certified  for  secure  govern- 
ment-to-government  and  government- 
to-consumer  transactions. 

NetPost.Certified  uses  the  Postal  Ser¬ 
vice’s  38,000  branch  offices  as  stations 
at  which  consumers  can  present  the 
identification  that  some  federal  agen¬ 
cies  require  before  issuing  individual 
digital  certificates. 

Without  this  kind  of  rig¬ 
or,  the  whole  concept  of 
electronic  IDs  can  quickly 
become  meaningless. 

The  technology  also  raises  many 
legal  questions,  says  Eric  Kossen,  glob¬ 
al  head  of  project  management  at  a 
PKI-enabled  service  from  ABN  Amro 
Holding  NV,  the  Amsterdam-based  fi¬ 
nancial  services  giant. 

Like  Wells  Fargo,  ABN  Amro  acts  as 
a  CA  that  issues  electronic  IDs  for  a 
new  business-to-business  purchase 
and  payment  service  aimed  at  large 
businesses. 

“If  you  operate  as  a  certificate  au¬ 
thority,  you  take  on  a  certain  level  of 
responsibility  for  that  role,”  Kossen 
explains. 

A  lot  of  the  questions  surrounding 
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Components  of  PKI 
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Certificate  Authority 
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Digital  Certificate 
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digital  certificates  and  tells  (  Trust  relationship  )  security  credentials  and  (  information  sharing  )  that  establishes  credentials 
the  certificate  authority  public  keys  for  message  1  on  the  Web,  issued  by  a 

to  issue  them.  encryption  and  decryption.  certificate  authority. 


Repository  ^ 
\  / 
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(  Exchange  of  data  ) 


PKI  have  to  do  with  the  way  certifi¬ 
cates  are  issued,  verified,  revoked  and 
checked.  There  are  also  uncertainties 
about  the  level  of  trust  assigned  to  dig¬ 
ital  IDs  issued  by  other  CAs.  And  there 
are  even  questions  about  such  funda¬ 
mental  issues  as  the  legal  validity  of 
electronic  signatures  and  the  manner 
in  which  they  are  stored,  says  Kossen. 

Despite  major  vendors’  claims  that 
their  products  are  mature,  many  PKI 
technologies  are  still  evolving.  Many 
vendors  claim  to  offer  the  entire  range 
of  technologies  needed  to  build  a  PKI 
service.  Often  though,  it’s  best  to 
choose  best-of-breed  products  from  a 


variety  of  vendors,  say  users  and  ana¬ 
lysts.  But  that  raises  issues  of  interop¬ 
erability  and  standards.  Putting  up  a 
PKI  framework,  therefore,  means  deal¬ 
ing  with  a  hodgepodge  of  technologies 
that  seldom  work  with  one  another 
and  are  constantly  evolving,  say  users. 

Few  applications  are  enabled  out-of- 
the-box  to  take  advantage  of  PKI  ser¬ 
vices.  This  means  users  must  integrate 
them  into  PKI  networks.  A  growing 
number  of  vendors  offer  tool  kits  that 
snap  into  applications  and  make  them 
PKI-ready.  But  these  tool  kits  don’t  eas¬ 
ily  interoperate. 

Resolving  interoperability  issues 


means  addressing  them  at  the  applica¬ 
tion  level,  at  the  component  level  and 
between  multivendor  PKI  domains,  ac¬ 
cording  to  a  recent  white  paper  pub¬ 
lished  by  the  PKI  Forum,  a  Wakefield, 
Mass.-based  consortium  of  vendors  es¬ 
tablished  to  address  the  issue. 

Application-level  interoperability 
deals  with  PKI  services,  such  as  en¬ 
cryption,  authentication  and  nonrepu¬ 
diation,  between  peer  applications, 
such  as  two  e-mail  clients,  according  to 
the  PKI  Forum. 

Component-level  interoperability 
relates  to  the  manner  in  which  devices 
that  provide  and  consume  PKI  ser¬ 
vices,  such  as  a  CA,  interact  with  other 
similar  devices. 

Interdomain  interoperability  deals 
with  how  to  link  multiple  PKI  domains 
that  are  based  on  technologies  from 
different  vendors. 

Interoperability  is  also  important  in 
the  long  term  because  it  lowers  the 
risk  of  customers  being  tied  to  a  single 
vendor  or  technology,  while  offering 
them  a  greater  choice  among  vendors, 
says  Laura  Rime,  a  director  at  New 
York-based  Identrus  LLC. 

Identrus  is  a  for-profit  company  es¬ 
tablished  by  eight  leading  global 
banks.  Since  1997,  it’s  been  build¬ 
ing  a  PKI-based  global  system 
that  assures  businesses  of  the 
identity  of  their  trading  partners. 

Financial  institutions  that  are  part 
of  the  Identrus  network  issue  digital 
certificates  to  conduct  online  transac¬ 
tions  with  certified  trading  partners. 

Identrus  has  a  prescribed  interoper¬ 
ability  test  process  and  baseline  stan¬ 
dards  that  PKI  vendors  have  to  meet  in 


order  to  be  able  to  sell  to  Identrus’ 
member  institutions.  The  number  of 
products  and  technologies  that  have 
qualified  now  exceeds  25  —  more  than 
double  the  number  at  this  time  last 
year,  Rime  says. 

Because  acceptance  of  PKI  has  been 
limited  so  far,  there  hasn’t  been  a  sense 
of  urgency  among  vendors  to  advance 
interoperability,  says  Dan  Heilman,  a 
manager  at  Cylink  Corp.  in  Santa 
Clara,  Calif. 

Despite  the  promise  of  PKI,  most 
corporations  still  aren’t  quite  sure 
what  to  do  with  it,  says  Wells  Fargo’s 
Ellis.  One  of  the  reasons  is  that  there 
are  other  readily  available  authentica¬ 
tion  alternatives,  ranging  from  basic 
passwords  to  biometric  technologies, 
that  companies  can  use,  he  says. 

But  “if  PKI  interoperability  is  what 
you  are  waiting  for,  then  wait  no 
more,”  says  Peter  Lindstrom,  an  ana¬ 
lyst  at  Hurwitz  Group  Inc.  in  Framing¬ 
ham,  Mass.  “Start  your  deployment 
now,  because  by  the  time  you  get  to  a 
point  where  you  want  to  connect  ex¬ 
ternal  CAs,  the  issues  will  have  re¬ 
solved  themselves.”  ► 

MORE  IN  DEPTH  STORIES 

■  The  U.S.  Postal  Service  de¬ 
ployed  PKI  services  to  protect 
transactions  with  customers 
and  other  agencies,  but  vendor 
promises  fell  short.  Find  out  how. 

■  Shopping?  Search  our  list  of  PKI 
vendors  -  or  just  bone  up  on  the  technology. 

■  Instructions,  research  and  white  papers  on  the 

dangers,  risks,  benefits  and  architecture  for 

a  solid  PKI  network 

www.computerworid.com/securityonline 
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Initial  efforts  to  provide  online 
authentication  have  been  costly 
and  complex.  By  Michael  Meehan 


Last  year,  the  federal  gov¬ 
ernment  couldn’t  move  fast 
enough  to  pass  a  digital  signa¬ 
tures  law,  which  it  finally  did  in 
October. 

But  almost  a  year  later,  it  appears 
that  all  of  the  hullabaloo  has  turned  out 
to  be  little  more  than  smoke,  as  many 
companies  have  managed  to  make  do 
without  state-of-the-art  authentication 
and  security  technologies. 

Prior  to  the  legislation,  it  was  be¬ 
lieved  that  the  electronic  identifiers 
were  needed  to  support  the  online 
business-to-business  explosion  that 
appeared  to  be  just  around  the  corner. 

At  the  same  time,  many  companies 
were  being  told  they  had 
to  put  a  public-key  infra¬ 
structure  (PKI)  cryptogra¬ 
phy  and  authentication  sys¬ 
tem  in  place  to  be  sure  they  weren’t 
doing  business  with  cyberpirates. 

However,  business-to-business 
e-commerce  didn’t  boom  as  quickly  or 
as  broadly  as  anticipated.  Meanwhile, 
those  companies  that  are  dabbling  in 
the  e-commerce  arena  have  managed 
to  do  so  without  digital  certificates. 

“What  we  learned  is  you  don’t  have 
to  have  these  things  in  place  to  start 
electronic  commerce,”  said  Jan  Sund- 
gren,  an  analyst  at  Giga  Information 
Group  Inc.  in  Chicago. 

However,  a  second-generation  PKI 
standard  that  embeds  authentication 
processes  into  e-commerce  applica¬ 
tions  and  smart  cards  that  are  enabled 
for  digital  certificates  have  evolved 
during  the  past  year,  pushing  online 
authentication  closer  to  viability. 

Not  So  Fast 

The  main  hurdles  to  adoption  are 
cost  and  difficulty  of  implementation. 

For  instance,  a  November  survey  of 
1,026  executives  at  U.S.  companies 
with  revenues  of  more  than  $1  billion 
revealed  that  only  16%  of  the  firms  had 
completed  work  on  digital  certificate 
infrastructures,  according  to  Frank 
Prince,  an  analyst  at  Cambridge,  Mass.- 
based  Forrester  Research  Inc.,  which 
conducted  the  survey. 

In  1999,  half  the  companies  in  For¬ 
rester’s  annual  e-commerce  poll  said 
they  would  have  working  PKI  systems 
in  place  by  the  end  of  this  year.  But 
when  Forrester  conducted  the  poll  > 
again  last  year,  only  one-third  of  ^ 

the  respondents  said  they  believed 
they  could  achieve  that  goal  in  the  > 
next  two  years.  > 

“The  expectations  fell  off  after  they 
had  the  experience  with  the  imple¬ 
mentation  and  expense  of  digital  cer¬ 
tificate  technology,”  says  Prince. 


“What  they  discovered  is  that  this  isn’t 
as  easy  as  they  thought.” 

One  of  the  chief  hurdles  to  the  adop¬ 
tion  of  digital  certificates  is  that  most 
PKI  software  has  been  developed  along 
proprietary  lines.  Authentication  ser¬ 
vices  that  might  work  well  to  support 
internal  expense  reports  or  personnel 
evaluations  don’t  necessarily  translate 
in  a  business-to-business  format. 

PKI  allows  companies  to  send  en¬ 
crypted  messages  through  a  public  reg¬ 
istry,  which  is  then  decrypted  by  a  pri¬ 
vate  key  that  the  receiver  holds. 

As  it  turns  out,  many  companies  that 
are  capable  of  issuing  PKI  certificates 
rarely  use  them. 

Jurgen  Leijdekker,  U.S. 
managing  director  at  Den¬ 
ver-based  eCredible  Ltd., 
a  transaction  risk-manage¬ 
ment  subsidiary  of  Amsterdam-based 
credit  insurance  company  NCM  NV, 
says  it’s  rare  for  companies  to  ask  for 
digital  certificates  when  they  do  busi¬ 
ness  online. 

“We  can  issue  them,  but  many  com¬ 
panies  feel  a  password  in  their  hands  is 
somehow  more  secure,”  he  says. 

Even  though  risk  management  often 
involves  the  most  sensitive  financial 
aspects  of  online  trading,  few  compa¬ 
nies  are  able  to  perform  the  decryp¬ 
tions.  As  a  result,  executives  at  eCredi¬ 
ble  view  digital  certificates  as  a  perk 
service,  not  something  central  to  its 
business,  Leijdekker  says. 

A  proposed  standard  called  XML 
Key  Management  Specification 
(XKMS)  may  help  solve  this  dilemma. 
Submitted  in  April  to  the  World  Wide 
Web  Consortium  standards  body, 
XKMS  is  based  on  Web  services 
protocols  such  as  Web  Services  De¬ 
scription  Language  and  Simple  Object 
Access  Protocol.  The  standard  was 
designed  with  the  goal  of  providing 
interoperability  between  PKI  systems. 

XKMS  incorporates  authentication 
services  inside  of  e-commerce  applica¬ 
tions.  Currently,  desktop  and  e-com- 
merce  applications  must  be  enabled  to 
handle  digital  keys  for  authentication. 

As  a  result,  no  longer  would  both  the 
buyer  and  seller  need  fully  implement¬ 
ed  PKI  infrastructures  to  exchange  cer- 
,  tificates  or  signatures.  I 
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The  P3P  standard 
may  not  make  Web 
surfing  more  private, 
but  it  might  give 
consumers  a  way  to 
enforce  the  promises 
that  Web  sites  make. 
By  Deborah  Radcliff 

With  Microsoft  SET  to  release  its  first 
browser-based  consumer  privacy  con¬ 
trols  later  this  month,  the  Platform  for 
Privacy  Preferences  Project  (P3P)  stan¬ 
dard  is  about  to  step  into  the  limelight. 
Already,  63  companies  have  joined  the  P3P  band¬ 
wagon.  They’ve  rewritten  and  tagged  their  privacy 
statements  in  XML  to  make  those  policies  readable 
by  Web  surfers’  machines.  And  many  more  e-mer- 
chants  are  well  into  the  process  of  making  their  on¬ 
line  privacy  statements  P3P-compliant. 

The  promise  of  P3P  is  that  it  will  give  users  con¬ 
trol  over  how  their  data  is  gathered  and  used.  By 
supporting  the  standard,  e-merchants  hope  to  draw 
consumers  back  to  the  Web,  and  maybe  even  gain 
some  loyalty  in  the  process. 

But  critics  are  wary  of  this  silver-bullet  approach 
to  consumers’  privacy,  charging  that  tools  that  only 
expose  privacy  policies  don’t  hold  e-businesses 
accountable  for  promises  they  make.  And  early  itera¬ 
tions  of  Microsoft  Corp.’s  browser  tool  and  the  other 
emerging  P3P  plug-in  by  YouPowered  Inc.  in  New 
York  aren’t  really  reading  full  privacy  policies  when 


DoubleCEick’s  Jules 
Polanetsky:  P3P  “is  the 
beginning  of  allowing 
users  to  say.  I'll  give 
you  this,  but  I  won't 
give  you  that.”’ 
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deciding  whether  to  allow  a  read  from  or  write  to  a 
cookie,  making  it  harder  to  automate  personal  pref¬ 
erences  on  privacy. 

“P3P  will  not  improve  the  current  level  of  privacy 
protection,”  says  Andy  Shen,  policy  analyst  at  EPIC.- 
org,  a  privacy  advocacy  group  in  Washington.  “What 
we  need  is  standards  —  something  to  hold  [vendors] 
accountable.  Because  without  those,  there’s  no  en¬ 
forcement.” 

But  these  early  iterations  of  P3P  are  better  than  do¬ 
ing  nothing,  say  proponents.  And  as  implementations 
expand  to  offer  more  granular  choices  for  users,  P3P 
could  be  the  biggest  thing  to  hit  the  browser  since 
Secure  Sockets  Layer  encryption,  say  early  adopters. 

The  Language 

By  tagging  English-language  privacy  statements  in 
XML,  Web  businesses  make  their  policies  readable 
by  any  P3P  client.  As  P3P  matures,  users  should 
eventually  have  a  vast  array  of  settings 
they  can  use  to  tailor  their  Web  experi¬ 
ences  to  their  preferences. 

“The  benefit  of  P3P  is  once  you  estab¬ 
lish  a  set  of  general  preferences,  the  re¬ 
view  of  the  site’s  policy  happens  automatically,”  says 
Jules  Polonetsky,  chief  privacy  officer  at  e-mail  mar¬ 
keting  company  Doubleclick  Inc.  in  New  York.  “This 
is  the  beginning  of  allowing  users  to  say,  ‘I’ll  give  you 
this,  but  I  won’t  give  you  that.  Tell  me  what  [the  Web 
site  is]  asking  for,  and  my  browser  will  interact.” 

The  back-end  work  of  tagging  privacy  statements  in 
XML  is  straightforward,  says  Lorrie  Cranor,  chair  of 
the  P3P  specifications  working  group  spearheaded  by 
the  World  Wide  Web  Consortium.  Cranor,  also  a  prin¬ 
cipal  technical  staff  member  at  AT&T  Labs  in  Lorham 
Park,  N.J.,  has  completed  tagging  AT&T  Corp.’s  Eng¬ 
lish  language  privacy  policy  for  P3P  compliance. 

The  difficult  part  is  re-creating  the  privacy  state¬ 
ments  in  the  fine  detail  required  to  make  them  PSP- 
compliant,  according  to  both  Cranor  and  Polonetsky. 

“Your  privacy  statement  and  your  P3P  statement 
are  likely  to  be  different  documents,”  says  Polonet¬ 
sky,  who’s  in  the  midst  of  rewriting  DoubleClick’s  pri¬ 
vacy  statements  for  P3P.  “Most  privacy  policies  don’t 
go  into  as  much  detail  as  P3P  does  —  or  cover  the 
gamut  of  technology  that  has  any  information  rela¬ 
tionship,  like  navigational  data,  log  files,  HTTP  refers.” 

To  make  this  easier,  Cranor  developed  a  template- 
based  privacy  policy  generator  to  cover  the  mundane 
detail  called  for  in  P3P-compliant  policy  statements. 
AT&T’s  new  policy,  which  went  live  July  1  at  www. 
att.com/privacy/,  addresses  not  only  what  data  is  col¬ 
lected,  but  also  how  it’s  collected  and  what’s  done 
with  it.  Some  examples  include  the  following: 


REWARD 


■  Data  collection:  AT&T’s  policy  specifies  what  the 
data  is  collected  for:  Billing  services,  change  ser¬ 
vices,  problem  resolution  and  product  information. 
“This  means  that  AT&T  may  use  your  customer- 
identifiable  information,  in  conjunction  with  infor¬ 
mation  available  from  other  sources,  to  market  new 
services  to  you  that  we  think  will  be  of  interest  to 
you,  but  we  will  not  disclose  your  customer-identifi¬ 
able  information  to  third  parties  who  want  to  market 
products  to  you,”  the  statement  says. 

■  Cookies:  The  policy  states  that  “AT&T  servers  auto¬ 
matically  gather  information  about  which  sites  cus¬ 
tomers  visit  on  the  Internet  and  which  pages  are  vis¬ 
ited  within  an  AT&T  Web  site.  The  company  does 
not  use  that  information,  except  in  the  aggregate.” 

■  Disclosure:  AT&T’s  policy  states  it  will  not  sell, 
trade  or  disclose  this  information  —  including  cus¬ 
tomer  names  and  addresses  —  to  third  parties  with¬ 
out  consent  of  customers.  It  also  says  AT&T  will  en¬ 
sure  that  contractors  also  protect  the 
customer-identifiable  information. 

Polonetsky  says  DoubleClick’s  privacy 
policies  are  clear,  but  the  company’s  use 
of  cookies  is  complex  because  it  moni¬ 
tors  Web  surfing  habits  to  determine  which  ads  to 
send  to  consumers’  browsers.  So  his  efforts  have 
mostly  centered  on  making  sure  cookie  use  is  por¬ 
trayed  accurately,  which  has  taken  extensive  confer¬ 
encing  with  DoubleClick’s  legal,  privacy,  marketing 
and  technical  people,  he  says. 

Missing  from  P3P  work  is  language  for  data  securi¬ 
ty,  something  even  the  Federal  Trade  Commission 
(FTC)  brought  up  to  the  P3P  working  group  when  it 
was  formalized  in  1997.  But  when  the  working  group 
looked  into  allowing  consumers  to  set  their  data  se¬ 
curity  preferences,  it  decided  it  was  impossible  to  ob¬ 
jectively  define  which  sites  are  secure,  says  Cranor. 

That’s  because  anyone  with  a  firewall  can  say  they 
protect  consumers’  data,  even  if  that  firewall  is  junk, 
she  says.  P3P  does  include  a  hook  for  security  vocab¬ 
ulary,  but  it  won’t  be  useful  until  some  best  security 
practices,  such  as  the  published  security  standard 
ISO  17799  or  Visa  International  Inc.’s  merchant  secu¬ 
rity  policies,  are  universally  adopted.  Then,  the  XML- 
readable  security  policy  could  verify  that  a  site  pro¬ 
tects  the  customer’s  data  by  saying  that  it  adheres  to 
the  ISO  17799  security  standards,  for  example. 

The  Revolution 

Microsoft  demonstrated  its  P3P  in  its  browser  in 
December  at  a  privacy/security  conference  it  hosted. 
YouPowered  also  has  a  browser  plug-in.  Netscape 
Communications  Corp.  is  waiting  for  a  secret  third- 
party  developer  to  deliver  an  open-source  P3P  reader 


What  Is  R3P? 

■  THE  PLATFORM  FOR  PRIVACY  PREFERENCES 
PROJECT  (P3P),  developed  by  the  World  Wide 
Web  Consortium,  is  an  emerging  industry  stan¬ 
dard  that  gives  users  more  control  over  personal 
information  gathered  on  Web  sites  they  visit. 

P3P  consists  of  a  standardized  set  of  multiple- 
choice  questions  covering  all  aspects  of  a  Web 
site’s  privacy  policy.  The  answers  offer  a  snap¬ 
shot  of  how  a  site  handles  users’  personal  infor¬ 
mation.  P3P-enabled  Web  sites  make  this  infor¬ 
mation  available  in  a  standard,  machine-readable 
format.  P3P-enabled  browsers  read  the  snapshot 
and  compare  it  to  the  consumer’s  privacy  prefer¬ 
ences.  P3P  enhances  user  control  by  putting  pri¬ 
vacy  policies  where  users  can  find  them,  in  a  form 
users  can  understand,  and  enabling  users  to  act 
on  what  they  see. 

-  Deborah  Radcliff 


for  its  browser  at  a  yet-to-be-determined  point  in 
time.  And  AT&T  is  developing  a  P3P  reader  of  its 
own,  perhaps  for  commercial  use  in  the  future,  ac¬ 
cording  to  Cranor. 

Some  criticize  Microsoft’s  tool  for  not  automati¬ 
cally  reading  full  privacy  statements.  However, 
Polonetsky  and  Cranor  both  say  that’s  a  good  thing, 
because  to  do  otherwise  at  this  early  stage  of  adop¬ 
tion  would  block  access  to  non-P3P-compliant  sites. 
And  the  P3P  reader  operates  much  faster  by  reading 
just  the  cookie  headers  and  reading  full  privacy  poli¬ 
cies  only  when  the  Web  surfer  specifically  requests 
it,  says  Michael  Wallent,  the  director  of  Microsoft’s 
Internet  Explorer  team. 

Critics  have  said  they  would  also  like  to  see  P3P 
somehow  create  more  merchant  accountability.  One 
could  argue,  however,  that  accountability  and  en¬ 
forcement  are  already  on  the  rise.  Currently,  some 
50  privacy-related  bills  are  hung  up  in  Congress.  And 
the  FTC  is  using  existing  laws  regarding  deceptive 
practices,  negligence  and  breach  of  contract  to  go 
after  companies  that  violate  consumer  privacy  (first 
in  line  was  Doubleclick). 

Add  merchant  accountability  to  a  sense  of  con¬ 
sumer  empowerment,  and  e-commerce  may  actually 
live  up  to  its  promise. 

“Statistics  show  that  people  on  the  Internet  are 
concerned  about  identity  theft  and  other  privacy  is¬ 
sues,”  says  Gary  Clayton,  CEO  of  the  Privacy  Coun¬ 
cil,  a  privacy  consulting  group  in  Dallas.  “I  think  P3P 
is  the  beginning  of  things  to  come.”  ► 


IN  DEPTH  RESEARCH  ON  P3P 
■  Want  to  see  the  full  P3P  specification  from 
the  WC3?  Could  you  use  a  tool  to  help  create 
your  own  P3P  polices?  What  other  privacy 
initiatives  might  impact  your  organization? 

Find  the  answers  by  visiting  our  Web  site  at: 
wivw.computerworld.com/securitylinks 

COMPUTERWORLD  ONLINE  COMMUNITIES 
Get  advice  from  your  peers,  offer  your  own  tips  or  post  your  opinion  at: 

www.computerworld.com/security 


IN  DEPTHSECURITY 


JOE  AUER/DRIVING  THE  DEAL 

Feeling  Safe  With 
IT  Security  Deals 

To  IT  professionals,  the  word  security  generally 
evokes  operational-type  thoughts.  For  instance, 
there’s  a  need  for  physical  security  of  the  data  itself. 
And  there’s  software-controlled  access  to  the  secure 
network.  Then  there’s  security  to  control  access  to  the  organi¬ 
zation’s  order  entry  and  financial  systems  and  to  the  under¬ 
lying  databases.  Now,  with  the  proliferation  of  Web-based  sys¬ 
tems,  Internet  firewall  security  has  become  a  growing  concern. 


Regardless  of  the  setting,  se¬ 
curity  is  a  major  control  issue 
facing  not  only  today’s  IT  man¬ 
agers,  but  everyone  else  as  well. 

Although  the  security  func¬ 
tion  is  staffed  internally,  the 
tools  we  use,  for  the  most  part, 
are  rarely  homegrown.  To 
build  the  security  infrastruc¬ 
ture,  IT  managers  go  outside 
to  license  software,  purchase 
or  lease  hardware,  and  con¬ 
tract  for  consulting  services. 
But  there’s  always  a  contract 
involved  —  yours  or  the  ven¬ 
dor’s.  From  a  deal  manage¬ 
ment  perspective,  contracting 
for  security  is  like  any  other 
technology  acquisition:  You 
must  make  sure  you  get  what 
you  pay  for. 


In  the  rush  to  build  a  secu¬ 
rity  infrastructure,  don’t  forget 
about  the  rights  and  obliga¬ 
tions  of  the  contract.  You  must 
take  the  time  to  do  it  right. 
Don’t  get  caught  with  contract 
“gotchas”  that  come  back  to 
haunt  your  organization  after 
the  deal  is  done.  Contract 
problems  during  the  relation¬ 
ship  take  time  away  from 
other  activities  and  can  cost 
you  significant  bottom-line 
dollars,  along  with  some 
career  embarrassment.  And 
the  fixes  are  seldom  easy. 

The  list  of  ugly  contracting 
possibilities  is  much  longer 
than  this  column.  But  it’s  im¬ 
portant  to  focus  on  some  of 
the  more  potentially  problem¬ 


atic  areas.  Think  of  the  follow¬ 
ing  as  a  checklist  to  prevent 
any  “gotchas”  in  security  con¬ 
tracting.  You  can  use  it  to  level 
the  negotiating  field. 

Software 

When  the  contract  involves 
security  software,  watch  for 
the  following  things: 

■  The  license  should  be  per¬ 
petual,  irrevocable  and  of  suf¬ 
ficient  scope  to  cover  your 
entire  organization. 

■  The  vendor  should  guaran¬ 
tee  that  the  software  will  per¬ 
form  according  to  the  pub¬ 
lished  specifications  for  at 
least  a  year.  If  it  doesn’t,  the 
vendor  should  fix  it  at  no 
charge.  Or,  if  it  can’t  be  fixed, 


the  vendor  should  refund  your 
money  and  “make  you  whole” 
for  the  expenses  you  incurred 
related  to  its  software. 

■  Maintenance  should  include 
enhancements  (minor  im¬ 
provements  and  bug  fixes) 
and  upgrades. 

■  Insist  on  the  right 
to  install  and  test 
the  software  before 
paying  the  major¬ 
ity  of  the  money 
specified  in  the 
deal.  There’s  noth¬ 
ing  like  testing  in 
your  own  environ¬ 
ment  to  make  sure 
you’re  getting  what 
you  think  you’re 
paying  for. 

Consulting 

When  the  con¬ 
tract  involves  con¬ 
sulting  services, 
watch  for  the 
following  things: 

■  Make  sure  the 
consultant  is  fully 
qualified.  Check  ref¬ 
erences,  and  interview  staffers 
assigned  to  your  site. 

■  Make  sure  the  consultant’s 
responsibilities  and  expected 
results  are  carefully  docu¬ 
mented  in  the  contract. 

■  Make  your  payments  based 
on  the  consultant’s  achieve¬ 
ment  of  acceptable  results,  not 
on  the  passage  of  time. 

■  Provide  for  frequent  project 
status  meetings. 

■  Make  sure  you  own  all  of  the 
consultant’s  deliverables. 


■  Make  sure  there’s  a  confiden¬ 
tiality  agreement  in  place  be¬ 
tween  you  and  the  consultant. 

Hardware 

When  the  contract  involves 
hardware,  watch  for  the  fol¬ 
lowing  things: 

■  Secure  the  right 
to  test  the  hard¬ 
ware  in  your  own 
environment  be¬ 
fore  final  payment. 

■  Check  the  ven¬ 
dor’s  warranty 
carefully,  and  un¬ 
derstand  what’s 
included  (such  as 
parts  or  labor)  and 
for  how  long. 

■  Make  sure  the 
configuration  or¬ 
dered  is  complete. 
Get  the  vendor  to 
warrant  that  it  has 
included  all  the 
necessary  compo¬ 
nents.  This  helps 
avoid  unexpected 
charges  for  addi¬ 
tional  equipment. 

■  Get  a  firm  delivery  date,  and 
hold  the  vendor  accountable 
with  remedies  if  it  fails  to 
deliver  on  time. 

In  short,  no  matter  how 
great  your  hurry  to  plug  some 
hole  in  your  security  plan, 
always  remember  to  make 
sure  there’s  a  well-thought- 
out  contract.  These  guidelines 
will  get  you  closer  to  a  safe 
and  “secure”  agreement  — 
and  closer  to  getting  what 
you  think  you’re  paying  for.  I 


joe  auer  is  president  of 
International  Computer 
Negotiations  Inc. 

( www.dobetterdeats.com), 
a  Winter  Park.  Fla., 
consultancy  that 
educates  users  on  high- 
tech  procurement.  ICN 
sponsors  CAUCUS:  The 
Association  of  High  Tech 
Acquisition  Professionals. 
Contact  him  at 

ioea@dobct1erdeals.com. 


■  Competitive  intelligence: 

The  process  of  monitor¬ 
ing  competitors  and  the 
competitive  environment 
using  the  systematic  gath¬ 
ering  of  data  from  many 
IT-enabled  sources. 

■  Digital  certificates:  Data 
files  used  to  establish 
the  identity  of  people 
and  electronic  assets  on 
the  Internet.  They  allow 
for  secure,  encrypted  on¬ 
line  communication  and 
are  often  used  to  protect 
online  transactions.  They 


QuickStudy  Guide  to  Security 

Find  it  online  at  www.computerworld.com/cwi/quickstudy 


can  be  used  as  electronic 
passports  to  enable  electronic 
transactions,  but  only  if  your 
infrastructure  is  set  up  to  han¬ 
dle  them. 

■  Digital  wrappers:  A  program 
wrapped  around  another  pro¬ 
gram  or  file,  such  as  an  e-mail 
message.  The  wrapper  acts  as 
a  multifunction  gatekeeper 
to  do  things  like  encrypt  and 
secure  e-mail  or  control  the  en¬ 
closed  program  from  running 
under  certain  circumstances. 


■  Intrusion  detection:  The  art 

and  science  of  sensing  when 
a  system  or  network  is  being 
used  inappropriately  or  with¬ 
out  authorization.  If  having  a 
firewall  is  like  having  a  securi¬ 
ty  guard  at  the  door,  then  an 
intrusion-detection  system  is 
like  having  a  network  of  sen¬ 
sors  that  tells  you  when  some¬ 
one  has  broken  in,  where  he  is 
and  what  he’s  doing. 

■  Proxy  server:  An  Internet 
server  that  controls  client 


computers’  access  to  the  Inter¬ 
net.  Using  a  proxy  server,  a 
company  can  stop  employees 
from  accessing  undesirable 
Web  addresses,  improve  per¬ 
formance  by  storing  Web 
pages  locally  and  hide  the 
internal  network’s  identity. 

■  Risk  management:  The  pro¬ 
cess  whereby  potential  risks 
to  a  business  are  identified, 
analyzed  and  mitigated,  along 
with  the  process  of  balancing 
the  cost  of  protecting  the 


company  against  a  risk 
vs.  the  cost  of  exposure  to 
that  risk. 

■  Virtual  private  network 
(VPN):  A  secure,  encrypt¬ 
ed  connection  between 
two  points  across  the 
Internet.  VPNs  transfer 
information  by  encrypting 
and  encapsulating  traffic 
in  IP  packets  and  sending 
the  packets  over  the  Inter¬ 
net;  that  practice  is  called 
tunneling.  Most  VPNs  are 
built  and  run  by  Internet 
service  providers.  I 


-  ■ 

■  ■  ■ 

•  -$h- 

•  *.v  •  **•  ’•  •.  '  *•  •  -v;  *• 

•.  s.  •  ■'  •  -  -  -v  vi  ' •  $ 

C-'< i 

'  •  “V  *  »  t  . 


•  ■  s  ,  •  .  :.,v>y  •  •• 

Who  else  would  you  trust  to 
integrate  the  world’s  leading  security 
technology  into  your  network? 
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people  enabling  technology 


At  exault,  helping  you  focus  on  performance  and  protection  is 
what  we  do.  So  when  it  comes  to  premier  technology  like 
the  IP530  from  Nokia,  we  can  analyze,  design,  implement  and 
test  a  solution  to  include  the  technology  that  you  demand. 


NOKIA 

Connecting  People 


www.exault.net 

Contact  us  for  a  consultation 
1  -877-9-exault  or  1  -877-939-2858 


exault  Locations:  New  York,  Washington,  D.C.,  Boston,  Detroit,  Chicago,  Dallas,  Houston,  Denver,  Phoenix,  San  Francisco,  Los  Angeles,  Seattle,  Minneapolis 
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Finjan’s  Software  Blocks 
Active  Content  Threat 


Start-up’s  product  monitors  suspicious 
activity  from  executable  e-mail  attachments 


BY  PIMM  FOX 

There’S  no  short¬ 
age  of  reasons  for 
corporate  IT  man¬ 
agers  to  be  con¬ 
cerned  —  very 
concerned  —  about  external 
threats  to  the  security  of  their 
systems.  Trojan  horses  and 
viruses  that  enter  organiza¬ 
tions  as  executable  e-mail 
attachments  are  abundant,  and 
antivirus  software  doesn’t  al¬ 
ways  catch  them. 

Finjan  Software  Inc.’s  re¬ 
sponse  is  SurfinShield  Corpo¬ 
rate  and  SurfinGate,  software 
that  actively  monitors  down¬ 
loaded  active  content,  includ¬ 
ing  executables,  ActiveX  and 
Java  scripts,  on  individual  desk¬ 
tops  and  at  e-mail  gateways. 

By  monitoring  code  behav¬ 
ior,  Finjan’s  products  let  com¬ 
panies  enforce  security  poli¬ 
cies  by  automatically  blocking 
malicious  activity  before  it 
causes  damage  to  PCs.  “The 
days  of  relying  on  reactive  se¬ 
curity  products  to  stop  mali¬ 
cious  code  attacks  are  over,” 
says  Phil  Kantz,  president  and 
CEO  of  the  San  Jose-based 
start-up.  “Companies  cannot 
afford  to  wait  hours  or  days 
for  security  updates  to  be  pro¬ 
tected  from  new  attacks.” 

A  security  analyst  at  a  major 
Northwest  retailer,  who  de¬ 
clined  to  be  named,  can  attest 
to  that.  “I  saw  SurfinShield, 
and  then  six  months  later,  the 
Melissa  virus  hit,”  he  says.  “We 
decided  to  segment  the  re¬ 
sponsibility  of  dealing  with 
these  threats  by  installing  the 
desktop  version,  mainly  be¬ 
cause  we  had  very  few  means 
of  identifying  the  attacks  be¬ 
fore  they  hit.” 

He  says  the  product  has  suc¬ 
cessfully  blocked  subsequent 
active  content  attacks  before 
they  could  do  damage. 


“Finjan’s  software  controls 
code  behavior  before  it  be¬ 
comes  active,”  says  Christian 
Christiansen,  an  analyst  at 
Framingham,  Mass.-based  IDC. 
“It  caches  attacks  before  they 
can  do  harm.” 


“Monitoring  programs  for 
malicious  behavior,  or  sand¬ 
boxing,  has  come  of  age  and 
proved  its  effectiveness  against 
worms  like  ‘I  Love  You’  and 
Anna  Kournikova,”  says  Yigal 
Edery,  Finjan’s  director  of  re¬ 
search  and  development. 

Plus,  Internet  worms  can 
change  their  characteristics 
every  four  to  six  hours,  which 
is  faster  than  antivirus  soft- 


PHIL  KANTZ,  CEO  of  Finjan  Software,  says  his  company’s  prod¬ 
ucts  take  a  proactive,  rather  than  reactive,  approach  to  security. 

Finjan 

Software  Inc. 

2860  Zanker  Road,  Suite  201 
San  Jose,  Calif.  95134 
(408)  981-1690 

Web:  www.finjan.com 

Niche:  its  software  monitors  exe¬ 
cutable  e-mail  attachments  and 
other  active  content  and  blocks 
suspicious  behavior.  It  protects  by 
monitoring  activity,  rather  than  re¬ 
lying  on  virus  signatures. 

Company  officers: 

•  Phil  Kantz,  acting  president  and 
CEO 

•  Jeff  Feuer,  vice  president  and 
chief  financial  officer 

•  Yigal  Edery,  director,  research 
and  development 


Milestones: 

•  January  1998:  Company 
founded,  SurfinGate  released. 

•  Q1 1999:  SurfinShield  Corporate 
released. 


ware  vendors  can  turn  around 
virus  signature  updates,  adds 
Dave  Kroll,  the  firm’s  director 
of  marketing. 

SurfinShield  Corporate  runs 
on  each  PC  in  the  background, 
watching  for  file  violations  and 
checking  for  attempts  to  delete 
files,  access  registries  or  access 
the  operating  system.  It  also  has 
a  central  console  for  setting 
policy,  monitoring  and  admin¬ 
istering  SurfinShield  across  all 
desktops. 

Administrators  can  also  set 
policies  that  let  some  ActiveX 
controls  in  while  blocking  oth¬ 
ers.  “We  needed  to  offer  soft¬ 
ware  that  allows  for  specific 
controls  to  run  software  that 
uses  ActiveX  controls  like 
WebEx,  while  still  enforcing 
security  policies,”  says  Kroll. 
“SurfinShield  does  that.” 

Finjan’s  SurfinGate  protects 
e-mail  gateways  running  on 
Windows  NT,  Windows  2000 
or  Unix  servers.  Finjan  says  its 
customers  include  the  Internal 
Revenue  Service,  the  European 
Parliament  and  the  Pentagon. 


People  Problem 

When  installing  SurfinShield 
Corporate  on  desktops,  IT 
managers  may  need  to  over¬ 
come  some  user  resistance,  the 
Northwest  retailer  discovered. 
“We  also  had  to  explain  to  our 
600  desktop  users  why  we 
July  2000:  Awarded  a  were  installing  this;  we 
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U.S.  patent  for  the 
code  inspection 
technology. 

Employees:  60 

Burn  money: 

$20  million  from  Besse¬ 
mer  Venture  Partners  LLC, 

Star  Ventures  Capital  LLC,  RRE 
Ventures  LLC,  CSK  Venture  Capi¬ 
tal  Co.  and  Security  Dynamics,  a 
subsidiary  of  RSA  Data  Security 

Products/pricing:  SurfinShield 
Corporate  5.5:  $59  per  seat; 
SurfinGate  5.6:  $49  per  seat. 

Customers:  European  Parlia¬ 
ment,  U.S.  Pentagon,  IRS,  others. 

Red  flags  for  IT: 

•  The  products  won’t  help  with 
pre-existing  viruses. 

•  Some  antivirus  software  vendors 
are  adding  this  capability. 

•  Products  are  a  supplement  to, 
not  a  replacement  for,  antivirus 
software. 


weren’t  trying  to  censor 
what  they  looked  at, 
but  rather  we  had 
to  block  applets  that 
posed  a  threat  to  our 
system,”  says  the  com¬ 
pany’s  security  analyst. 

He  did  have  a  few  other 
issues.  The  security  signatures 
in  SurfinShield  were  corrupted 
when  desktop  users  installed 
Microsoft’s  Internet  Explorer 
5,  but  Finjan  fixed  this  in  its 
current  version,  the  analyst 
says.  And  SurfinShield  doesn’t 
audit  the  behavior  of  macros. 

“What  using  SurfinShield 
brought  to  my  attention  is  that 
when  you  attach  to  any  Web 
site,  you  are  basically  giving 
that  Web  site  entire  rights  to 
your  system,”  says  the  security 
analyst.  “We  tell  people,  ‘Thou 
shalt  not  open  executables.’ 
But  they  do  it  anyway.  Surfin¬ 
Shield  is  now  blocking  that.”  I 


Riding  the 
Cybercrime  Wave 

Finjan  is  at  the  right  place  at  the  right 
time.  Gartner  Inc.  in  Stamford,  Conn., 
estimates  that  the  economic  cost  of 
cybercrimes  will  increase  1,000%  to 
10,000%  through  2004,  and  attacks 
generated  through  executable  e-mail 
attachments  are  an  increasing  part 
of  the  mix. 

Finjan  operates  in  a  specialized  secu¬ 
rity  space:  its  products  perform  real¬ 
time  monitoring  of  inbound  active  con¬ 
tent  in  e-mail  attachments  and  block 
associated  activity  produced  by  these 
viruses.  But  because  the  software  can 
accommodate  different  profiles,  admin¬ 
istrators  can  allow  certain  types  of 
ActiveX  content  to  flow  to  the  end  user. 
This  is  called  “white  listing,”  and  a  few 
competitors  in  the  field  also  offer  some 
degree  of  this  customization. 

According  to  IDC  analyst  Christian 
Christiansen,  the  market  for  this  type  of 
software  is  hard  to  gauge  because  it's 
part  of  larger  offerings  from  companies 
such  as  Islandia,  N.Y.-based  Computer 
Associates  International  Inc.  CA's  eTrust 
product,  for  example,  works  within  the 
Unicenter  TNG  Framework  to  block 
some  types  of  active  content  but  nor¬ 
mally  reacts  only  to  known  viruses. 

Some  vendors  of  intrusion  detection 
software  are  also  adding  blocking  of 
active  content  for  servers.  For  exam¬ 
ple,  Atlanta-based  Internet  Security 
Systems  Inc.  recently  added  such 
capabilities  to  its  RealSecure  intrusion 
detection  software. 

As  for  offerings  from  traditional 
antivirus  vendors,  Gartner  analyst  Bill 
Malik  says  Symantec  Corp.  in  Cupertino, 
Calif.,  and  Network  Associates  Inc.  in 
Santa  Clara,  Calif.,  offer  similar  capabili¬ 
ties  but  Finjan's  is  more  advanced. 

Pelican  Security  Inc. 

Chantilly,  Va. 

www.pelicansecurity.com 

Pelican  Security's  SafeTnet  desktop 
software  also  detects  and  isolates 
downloaded  active  content.  But  unlike 
Finjan,  the  company  says  its  products 
let  users  secure  applications  and  sys¬ 
tems  by  determining  who  has  access 
to  make  changes.  It  blocks  content  by 
determining  what  can  be  changed,  as 
opposed  to  what  can  be  let  through. 


The  unparalleled  identity  management  capabilities  of  CONTROL-SA  enable  safe  access  to  corporate 
data  by  setting  high  enterprise  security  standards  while  assuring  business  availability  around  the  clock, 
across  the  globe.  To  enhance  security  and  control,  more  businesses  are  turning  to  the  CONTROL-SA 
security  administration  solution.  With  this  suite  your  organization  can  benefit  from  end-to-end  IT  resource 
provisioning  and  user  management  solutions  across  complex,  heterogeneous  and  e-business  environments 
including  integration  into  Directories  Services,  ERP  and  HR  applications.  With  CONTROL-SA,  your 
organization  can  get  the  head  start  it  needs  to  win  in  the  e-business  era. 


How  effectively  are  you  managing  your  IT  and  security  infrastructure ? 
Do  you  meet  GLBA  and  HIPAA  requirements ?  Find  out  with  our  free 
assessment  at  www.bmc.com/ 'assessment/ 'imi ’security 


<bmc 


{  www.bmc.com  } 


BMC  Software,  the  BMC  Software  logos  and  all  other  BMC  Software  product  or  service  names  are  registered  trademarks  or  trademarks  of  BMC  Software,  Inc. 
All  other  trademarks  or  registered  trademarks  belong  to  their  respective  companies.  ©2001  BMC  Software,  Inc.  All  rights  reserved. 


IN  DEPTHSECURITY 


COMPUTERWORLD  July  9, 2001 


Risks  of  Doing 
E-Business 

The  threat  from  computer  crimes  and  other  online  security  breaches  has 
barely  slowed,  never  mind  stopped,  according  to  a  recent  survey  of  538 
security  professionals  in  U.S.  corporations  that  was  conducted  by  the 
Computer  Security  Institute  and  the  FBI's  Computer  Intrusion  Squad. 

Reported  breaches  in  the  past  six  months  85% 

Reported  financial  losses  in  the  past  six  months  64% 

Could  quantify  financial  losses  35% 


TOTAL  QUANTIFIABLE  LOSSES 


fear 2000  (265,589,940) 

Year  2001  (projected)  (377,828,700) 


TYPES  OF  QUANTIFIABLE  LOSS 


Theft  of  proprietary  information  S151.2M 

Fraud  S92.9M 


ATTACKS  REPORTED  TO  LAW  ENFORCEMENT 


Year  2000  25% 

Year  2001  (projected)  36% 


ATTACKS  ON  THE  RISE 


Penetration 
from  outside: 


Denial-of-service 

attacks: 


Employee  abuse  of 
Internet  privileges: 


Net  Intrusions  Cost  Billions 

Though  the  cost  of  intrusions  is  high,  many  companies  still 
haven't  devoted  many  resources  to  protecting  themselves. 


Total  annual  cost  of  online  security 
breaches  to  corporations 

Percentage  of  companies  that  have  yet  to 
implement  adequate  security 

Percentage  of  companies  that  spend  5%  or  less 
of  their  IT  budget  on  security  for  their  networks 


$15B 

30% 

50% 


Who  does  the 
best  job  of 
protecting  data 
on  computers? 


U.S.  Incident  Response  Services 
Expenditures  by  Service  Activity 

Key  findings  include  the  fact  that  services  will  experience  growth  respective 
to  the  number  of  cyberattacks,  and  security  breaches  and  individual  service 
activity  spending  over  time  will  increase  or  decrease  at  varying  rates,  accord¬ 
ing  to  incident  severity  and  frequency. 


Other 


Federal 
government 

State  and  local 
governments 


Big  business 


Small  business 


SOURCE:  INFORMATION  TECHNOLOGY  ASSOCIATION 
OF  AMERICA.  ARLINGTON.  VA. 


1999 

2000 

2001 

2002 

Cyberforensics 

$14M 

$24M 

$36M 

$45M 

Incident-response  services 

$74M 

$94M 

S129M 

S152M 

Total 

S88M 

S118M 

S165M 

S197M 

SOURCE:  IDC. FRAMINGHAM.  MASS.. 

2001 

Virus  Alert 


Downtime  From  Viruses 


Only  0.4%  of  a  compa¬ 
ny’s  revenue,  on  average, 

is  dedicated  to  information 
security  in  the  U.S.  By 
2011,  however,  that  figure 
will  accelerate  tenfold  to 
4%  of  revenue  for  U.S. 
companies,  according  to 
Gartner  Inc.’s  total  cost 
of  ownership  model  for 
information  security. 


Addressing  E-Business 
Security  Challenges 

PREPARATION 

1.  Begin  with  a  strong  security  policy  as  a 
foundation  for  an  architecture.  The  policy 
should  specify  what,  how,  where  and  by 
whom  allowed  activity  is  performed  on 
corporate  servers  or  networks. 

2.  Classify  all  assets  and  types  of  users. 

3.  Reinforce  the  basic  safeguards  for 
physical  and  perimeter  security. 

4.  Deploy  policy-based  centralized 
management. 

5.  Focus  on  strong  authentication  and 
authorization. 

6.  Commit  to  ongoing  audit  and  review. 

SOURCE:  IDC,  FRAMINGHAM.  MASS. 

RESPONSE 

1.  Employ  security  professionals  (such  as 
Tiger/SWAT  teams)  remotely  or  on-site. 

2.  Identify,  contain  and  disconnect  ac¬ 
cess  to  the  infected  portion  of  a  network. 

3.  Monitor  and  record  network  intruders' 
actions,  when  possible. 

4.  Obtain  images  and  data  logs  of  net¬ 
worked  systems. 

5.  Protect  images  and  evidence  on  safe 
media. 

6.  Assess  economic  damage. 

7.  Clearly  and  concisely  report  the  event, 
countermeasures  and  status  to  senior 
management. 


Judging  by  server  downtime,  which  increased  substantially  from 
1999,  viruses  are  starting  to  take  their  toll  on  network  performance: 


1999 

2000 

Servers  down  for  more  than  one  hour 

9% 

64% 

File  problems  from  viruses 

50% 

66% 

Companies  with  data  loss 

31% 

40% 

SOURCE:  ICSA  LABS.  CARLISLE.  PA.:  ICSA  LABS  6TH  ANNUAL  COMPUTER  VIRUS 
PREVALENCE  SURVEY  2000 


Top  10  Viruses 

The  most  active  viruses  in  the  past  four  weeks,  according  to 
MessageLabs  Ltd.,  a  U.K. -based  virus-detection  agency: 


NUMBER  OF  VIRUS  DETECTIONS  IN  THE  PAST  FOUR  WEEKS 


0  4,000  8,000  12,000  16,000  20.000 

W32/Magistr-mm 
W32/Hybris.B-m 
VBS/VBSWG.X-mm 
JS/Kak-m 
VBS/ExtraHelp.A-m 
W32/BadTrans.A-mm 
W32/MTX-mm 
W95/Hybris.D-m 
VBS/LoveLetter.C-mm 
W97M/Marker.C 

E-Mail  Flu  Season 

The  following  graph  plots  the  ratio  of  viruses  to  e-mail  during 
the  past  12  months.  You  can  see  that  the  ratio  varies  from  one 
virus  in  every  1,400  e-mails  in  September  2000  to  one  in  every 
400  in  May  2001. 


RATIO  OF  VIRUSES  TO  E-MAIL  FROM  JULY  ’00  TO  JUNE  ’01 


»  200 


JUL  AUG  SEP  OCT  NOV  DEC  JAN  FEB  MAR  APR  MAY  JUN 
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SOURCE  OATAMONITOR  PLC  NEW  YORK 


SOURCE  IDC.  FRAMINGHAM  MASS 


Which  firewall  is  right  for  you? 

Faster  and  more  secure?  Slower  and  less  secure?  (Decisions,  decisions.) 

An  educated  guess:  You’d  prefer  a  faster,  more  secure  firewall.  If  that’s  the  case,  your  firewall  should  be  from  Symantec ""  Symantec  Enterprise  Firewall, for  example, 
is  up  to  150%  faster  than  our  competitor’s  enterprise  firewall :  It  provides  more  Web  throughput,  more  file-transfer  throughput,  and  more  connections  per  second,  all 
without  compromising  security. 

Symantec  Enterprise  Firewall  provides  a  greater  degree  of  security  because  of  our  Application  Proxy  Technology.  The  most  robust  and  secure  approach,  it  allows  full 
inspection  of  both  the  protocol  and  the  application  layer.  This  enables  you  to  set  granular  control  policies  from  desktop  to  gateway,  a  powerful  feature  that  lets  the  right 
people  in — customers,  vendors,  remote  users — while  keeping  the  wrong  people  out. 

Our  firewalls  can  protect  every  tier  of  your  computing  environment.  We  provide  solutions  for  the  desktop,  as  well  as  a  gateway  appliance  that’s  easy  to  deploy  and 
provides  flexible  implementation.  And  with  our  Security  Services  we  can  help  you  plan,  implement,  manage  and  maintain  a  secure  firewall  solution. 

Symantec  firewalls  are  a  key  component  of  Symantec  Enterprise  Security.  Combining  world-class  technology,  comprehensive  service  and  global  emergency  response, 
Symantec  Enterprise  Security  helps  businesses  run  securely  and  with  confidence. 

Want  to  make  an  informed  decision  about  your  firewall?  Visit  symantec.com/ses7  or  call  800-745-6054  x9GL  1. 

Just  for  contacting  us,  we’ll  send  you  a  free  Security  Reference  Chart  offering  a  wealth  of  information  about  network  security.' 


Symantec. 


finBeiKii  R  Comparison  o'  Symantec  Enterprise  firewall  6.5  sna  CtieckRoInt  4  fireman.  Tost  conducted  tiy  independent  researcn  ttm,  Marw  5. 200!  ■  in  five  separate  t»sts  Cat  compered  Symantec 
for  owe  information  or  to  reeervs  a  complete  copy  of  the  test  results,  visit  Symantec CoipstaSon a: « v.v; .Symantec,  jom  enterpriser  f  i> w.afltea rea.lts  rcfter  good  write  supplies  last  Unit  am  reference 
Symantec  Enterprise  firewall  is  a  trademark  at  Symantec  Corporation.  Otter  Brands  and  products  are  tratoarim  ut  their  respective  holders.  ©2001  Symantec  Corporation.  w;  sights  Reserved. 
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Protecting  the  integrity  of  data  is 
only  half  the  job  of  the  corporate 
security  manager.  The  other  half  is 
persuading  employees  to  protect 
their  data  wherever  it  is. 

By  Deborah  Radcliff 


commit  [electronic]  indiscretions.” 

Along  with  knowledge  of  the  IT  and 
physical  aspects  of  data  protection, 
Telders  must  rally  every  employee 
around  protecting  the  company’s  data 
in  all  forms.  For  example,  when  users 
said  no  one  would  mess  with  their  com¬ 
puters  left  on  at  night,  Telders  suggest¬ 
ed  that  they  cash  their  paychecks  and 
leave  the  money  on  the  keyboard  over 
the  weekend  to  see  if  it  would  still  be 
there  Monday.  That  clicked  with  them. 

“The  first  thing  I  learned  about 
managing  the  physical  was  that  com¬ 
munication  is  extremely  important 
with  users  whom  you  are  trying  to  put 
tight  controls  around,”  Telders  says. 
“They  need  to  understand  in  their 
own  terms  the  whys  and  wherefor¬ 
es  of  how  the  entire  security  sys¬ 
tem  works.  And  you  must  be  very 
responsive  to  their  problems.” 

Ironically,  it’s  the  workers  on  his 
old  stomping  grounds,  the  IT  group, 
who  he  has  to  keep  the  closest  eye  on, 
he  says.  They’re  the  ones  trying  to 
punch  holes  in  the  firewall  to  drop  in 
Digital  Subscriber  Lines  and  download 


the  latest  cool  stuff.  And  they’re  the 
ones  who  see  his  security  policies  as 
an  opposition  to  them  accomplishing 
their  mission  of  making  the  wires  hum. 
In  fact,  Telders  has  to  occasionally 
quash  rebellions  among  IT  group  em¬ 
ployees  when  they  try  to  wrestle  infor¬ 
mation  security  management  away 
from  Telders’  unit. 

Although  Telders  can  empathize,  he 
says  his  real  responsibility  is  to  the 
owners  of  the  data  —  the  shareholders 
and  the  board. 

“We  represent  the  owners  of  the 
data.  And  based  on  the  rules  of  the  data 
owners,  we  make  determinations  of 
,  i  i  i  ,  what  is  and  is  not  appropri¬ 
ate,”  he  says.  I 


MORE  IN  DEPTH  STORIES 

■  See  our  chart  on  top-pay¬ 
ing  regions  and  industries 
for  IT  security  professionals. 

www.computerworld. 
com/securityonline 

IN  DEPTH  RESEARCH 
■  Security  training  and  education  research  links. 

www.computerworld.com/securitylinks 


Profile 


NAME:  Eduard  Telders 

TITLE:  Corporate  security  manager 

REPORTS  TO:  Chief  technology  officer 

DIRECT  REPORTS: 

■  Security  compliance  officer  (physical 
security  management) 

■  Safety  and  security  coordinator  (safety 
and  physical  security  administration) 

■  Senior  information  security  analyst 
(engineering  and  design,  penetration 
and  intrusion  detection,  forensics) 

■  Two  information  security  analysts 
(daily  administration/project  work) 
REQUIREMENTS: 

■  Basic  understanding  of  operating 
systems,  networking  and  IT  security 

■  Risk-management  background 

■  Physical  security  certifications  and  training 

■  Master's  degree  (Telders’  is  in  biology) 

■  Be  adaptable,  ethical  and  a  strong  busi¬ 
ness  communicator 


Most  companies  wouldn’t 

think  of  putting  information 
security,  physical  security 
and  facilities  into  one  unit. 
Yet  12  years  ago,  Eduard 
Telders  made  combining  the 
management  of  these  units 
a  condition  of  his  employ¬ 
ment  at  Pemco  Financial 
Services  in  Seattle. 

Now,  Telders  says  he  knows  of  a 
dozen  or  so  Fortune  500  companies, 
including  Microsoft  Corp.,  that  have 
put  physical  and  technical  security 
management  together  as  a  single  func¬ 
tion.  And  at  both  Microsoft  and  Pemco, 
the  position  was  handed  to  a  technical 
security  manager,  not  the  physical  se¬ 
curity  manager. 

It  takes  a  unique  technologist  to 
make  this  leap.  Managing  these  once- 
disparate  groups  calls  for  thinking  far 
beyond  “making  the  wires  hum,”  Tel¬ 
ders  explains.  This  renaissance  posi¬ 
tion  calls  for  a  manager  who  can  think 
about  how  those  wires  open  the  com¬ 
pany  to  the  risk  of  internal  embezzle¬ 
ment  and  fraud,  data  theft  and  cus¬ 
tomer  privacy  violations. 

That  means  the  corporate  security 
manager  must  also  stay  up  to  speed  on 
the  physical  risks  to  corporate  data, 
such  as  building-access  violations  like 
“shoulder  surfing”  (following  a  badged 
employee  through  an  open  door).  Tel¬ 
ders  stays  up-to-date  through  his 
memberships  in  organizations  such  as 
the  American  Society  of  Industrial 
Security  and  by  maintaining  his  stand¬ 
ing  as  a  certified  protection  profes¬ 
sional,  which  he  received  in  1999. 

Today,  most  investigations  into  secu¬ 
rity  threats  or  violations  require  both 
physical  and  technical  investigative 


techniques.  For  example,  when  Pemco 
had  problems  with  employees  sending 
hate  mail  and  surfing  the  Web  for 
pornography  late  at  night  a  year  ago, 
Telders’  team  first  tracked  physical  ac¬ 
cess  to  areas  of  the  building 
through  its  key-entry  sys¬ 
tem.  Then  they  checked  to 
see  who  was  logged  on  in 
those  areas  at  night.  Finally,  they  exam¬ 
ined  the  log  flies  on  those  systems  to 
see  what  was  being  accessed. 

“All  companies  have . . .  abuses  of 
systems  and  other  [human  resources] 
problems,”  Telders  notes.  “Computers 
have  just  become  one  of  the  tools  to 
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A  Premier  100  IT  Leader  Is: 


An  Innovative  Problem 
Solver  Who  Utilizes  the 
Latest  Developments  in 
Technology 


An  Effective  Implementer 
of  IT  Strategies 


A  Technology  Visionary 
Who  Recognizes  New 
Trends  and  Directions 


A  Creative  Thinker  Who 
Fosters  a  Dynamic  Work 
Environment 


A  Key  Technology 
Contributor  to  Their 
Organization 


•  A  Driving  Force  in 
Their  Organization  Who 
Introduces  State-Of-The-Art 
Technology 


Do  You  Know 


An  IT  Loader? 


Nominate  them 


IT  Leaders 


m  today  for 
’s  Premier  100 
)02  Awards! 


Our  search  for  the  year's  top  100  IT  Leaders  is 
under  way  again.  Our  third  annual  special  supple¬ 
ment,  which  will  be  published  in  January  2002,  will 
highlight  business  and  technology  people  who 
have  had  a  positive  impact  on  their  organization 
through  technology.  They  foster  ideas  and  creative 
work  environments,  envision  innovative  solutions 
to  business  challenges,  and  effectively  manage  and 
execute  IT  strategies. 


We'd  like  you  to  be  a  part  of  our  Premier  100 
Nomination  Panel  and  recommend  successful  IT 
leaders  for  consideration  in  this  special  issue. 


bminate  an  IT  leader  today  at 


•• 


www.computerworld.com/premier100nominati 
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The  St.  Regis 
Aspen,  Colorado 


August  27-28,  2001 


What  Three  Components 
Set  Delphi's  Aspen  Executive 
Summit  Apart? 
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1)  The  Focus! 


ensummit.  corn 


ww. 


A  single-track  event  dedicated  to  Enterprise 
Wireless  -  not  a  broad-based  wireless  show 
A  focused  high-level  executive  audience  - 


Featured  Keynote 
Reed  Hundt 

Former  Chairman  of  the  FCC 

The  Competitive  Mandate  for  Instant  Commerce 


not  a  large  undifferentiated  audience 


A  speaker  lineup  of  genuine  CEO,  vice 
president,  director  end  users  and  luminary 
leaders  -  not  a  vendor  agenda 
A  strategic  look  at  the  business  case(s)  and 


Jerome  Beaudoin 

Chief  Information  Technology  Officer,  Northstar  Energy 

Enterprise  Wireless  in  a  High  Risk  Industry 

Kevin  Brough 

Managing  Director,  Pacific  Region, 
Nokia  Networks 

Business  Drivers  for 
Enterprise  Wireless 


Rebecca  MacKinnon 

President,  Chief  Executive  Officer  and 
Founder,  BeyondNow  Technologies 

Transcending  Barriers  with 
Wireless  Solutions 


Tom  Magill 

Vice  President  Logistics, 

McKesson  HBOC 

Mobile  Computing  Leads  the 
Way  to  Quality 

Tyler  Nelson 

Vice  President  Business  Development,  Research  in  Motion 
Wireless  Technology  FITS  Your  Networking  Strategy 


Q  Simon  Pugh 

Vice  President,  Infrastructure  and  Standards, 
Mobile  Commerce,  MasterCard,  International 
Loss  of  Innocence:  Security  in  a 
Wireless  World 


■  Ernest  Teves 

Chief  of  Research  and  Development, 

M.D.  Anderson  Cancer  Center 

The  Perils  and  Pitfalls  of  Deploying 
a  Wireless  Strategy 


Ronald  Willis 

Vice  President  Consumer  Business, 

Cisco 

The  “Instant”  Internet:  High-speed, 
Secure  Access  Anytime,  Anywhere 


■  John  Yuzdepski 

Vice  President,  Sprintpcs.com 
and  Board  Member,  WAP  Forum 
Power  to  Your  People:  Wireless 
Knowledge  Transfer 


limited  Attendance  for  150  Senior  Level  Attendees 

Can  (800)  575-3367  or  visit  www.aspensummit.com  to  request  an  invitation 


implications  of  Enterprise  Wireless  -  not  the 
technical  details 

2)  The  Community! 

At  the  Aspen  Executive  Summit  you 
are  not  merely  an  attendee,  you  are  a  key 
member  of  the  Enterprise  Wireless  community. 
Every  aspect  of  this  event  is  designed  to  help 
you  create  a  life-long  network  of  valuable 
relationships.  From  the  intimate  exclusive 
attendance,  to  catered  lunches  and  evening 
networking  receptions,  in  the  elegant  small 
resort  of  Aspen,  Colorado,  Delphi's  Aspen 
Executive  Summit  offers  a  fantastic  opportu¬ 
nity  for  networking,  socializing,  and  learning 
with  the  highest  level  of  the  leading  Global 
2000  organizations. 

3)  The  Experience! 

•  Surround  yourself  with  the  experience  of 
senior  level  end  users  that  understand  the 
strategic  impact  of  building  Enterprise 
Wireless  solutions! 

•  Participate  in  one  of  the  most  exclusive 
events  in  the  wireless  industry! 

•  Immerse  yourself  in  a  high-powered  interactive 
environment  that  provides  the  best  take-away 
experience  and  tools  to  make  Enterprise 
Wireless  a  reality  in  your  organization! 
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IT  CAREERS 


(J)  careers 


Programmer/Analyst,  Columbia, 
MD.  Analyze,  design,  develop, 
debug,  optimize,  implement  & 
test  and  maintain  software  appli¬ 
cations  and  systems  using  Java, 
HTML,  E-Commerce  Systems, 
Perl,  Dreamweaver,  J  Server,  J 
run,  and  Windows  NT.  Reqd. 
B.S.  or  equiv.  in  Computer 
Science  &  2  yrs  related  exp. 
M-F,  40hrs/wk  +  O/T.  Send 
resume  to  S.  Monacelli,  HR  Ref. 
#  235,  Maxim  Group  Inc., 
6992  Columbia  Gateway  Drive, 
Columbia,  MD  21046. 


Prog/Analyst,  Comp.  Support 
Specialist,  Comp.  Engr.  or  DB 
Admin.:  Design,  develop  &  test 
computer  programs  using  Java, 
C++,  UNIX,  Oracle,  SQL  Server. 
Min:  BS  in  Comp.  Sci.  (or  equiv.) 
&  1  yr  exp.  Senior  Prog/Analyst, 
DB  Design  Analyst,  Comp.  Engr. 
or  DB  Admin.:  Analysis,  design, 
&  development  of  computer 
programs  using  Java,  C++, 
UNIX,  Oracle,  SQL  Server.  Min: 
MS  in  Comp.  Sci. (or  equiv.);  or 
BS  in  Comp.  Sci.  (or  equiv.)  &  5 
yrexp.  Resume:  HR  Dept.,  ITM, 
6  Kilmer  Rd.,  Edison,  NJ  08817. 


SENIOR  SYSTEMS  ANALYSTS 

Req’s  Master's  deg  in  Comp  Sci 
or  Bach’s  deg  in  Comp  Sci  plus 
5  yrs  prog  resp  exp  as  Systems 
Analyst  or  related  occup.  Resp 
for  designing,  developing  & 
implementing  software  systems 
and  Windows  &  Web  dev’mt. 
Req’d  skills  include  Java,  C++, 
Visual  Basic.  E-mail  resume  to 
knowlton  @  teamtpc.com  or  send 
resume  to  Julie  Knowlton, 
Technology  Professionals  Corp, 
1  Ionia  SW,  Ste  400,  Grand 
Rapids,  Ml  49503. 


Prog/Analyst,  Comp.  Support 
Specialist,  Comp.  Engr.  or  DB 
Admin.:  Design,  develop  &  test 
computer  programs  using  Java, 
C++,  UNIX,  Oracle,  SQL  Server. 
Min:  BS  in  Comp.  Sci.  (or  equiv.) 
&  1  yr  exp.  Senior  Prog/Analyst, 
DB  Design  Analyst,  Comp.  Engr. 
or  DB  Admin.:  Analysis,  design, 
&  development  of  computer 
programs  using  Java,  C++, 
UNIX,  Oracle,  SQL  Server.  Min: 
MS  in  Comp.  Sci.(or  equiv.);  or 
BS  in  Comp.  Sci.  (or  equiv.)  &  5 
yrexp.  Resume:  HR  Dept.,  ITM, 
6  Kilmer  Rd.,  Edison,  NJ  08817. 
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careers 


SOFTWARE  ENGINEER:  The 
Software  Engineer  will  work  in  a 
small  team  of  Engineers  to  code 
and  test  applications  on  a  Win¬ 
dows  platform  developed  using 
C  and  VC++.  Will  design  and 
develop  software  for  the  utility 
industry,  using  C/C++,  employing 
component  based  enterprise 
solutions.  Will  develop  a  web 
based  Graphical  User  Interface 
(GUI)  using  HTML,  DHTML  or 
Java.  The  Software  Engineer  will 
also  use  Multi-threading  and  Inter¬ 
process  communications.  Re¬ 
quirements:  B.S.  or  equivalent  in 
Computer  Science,  Electronics, 
Electrical  Engineering  or  a  related 
field  and  four  (4)  years  experience 
in  the  job  offered  OR  in  software 
application  engineering  for  the 
utilities  industry.  Demonstrated 
expertise  using  two  of  the  fol¬ 
lowing  tools:  VC++,  RDBMS, 
ODBC,  MTS,  MSMQ,  and  XML. 
Offered  salary  is  $74, 000/year 
for  full-time  employment  (min.  40 
hours  per  week)  and  standard 
company  benefits.  EEO.  Submit 
2  resumes  and  respond  to  Case 
No.  20002249,  Labor  Exchange 
Office,  19  Staniford  Street,  1st 
Floor,  Boston,  MA  021 14. 


E-Business  Solutions  Consultant 
-Design/develop/code/test 
webproEX  software  (Webspeed/ 
Progress/MFG/PRO  based  e- 
business  solution),  design  new 
modules,  maintain  old  releases, 
assist  Project  Mgr  to  release 
new  software  versions,  &  support 
clients  for  webproEX  customiza- 
tions.  Bachelor’s  degree  in 
Computer  Science  or  Engineer¬ 
ing  req'd  &  1  yr  experience  in  job 
offered  or  as  Software  Developer 
or  Programmer  req'd.  Must  be 
proficient  w/  Progress  Version  6 
or  higher/  Webspeed/MFG/ 
Pro/Javascript/HTML.  40  Hrs/ 
wk,  $75,000/yr,  OT  as  needed. 
Apply  to:  F.  Garmon,  Bravepoint, 
5875  Peachtree  Industrial  Blvd, 
Norcross,  GA  30092,  Ref:  DG. 


Programrner/Analyst.  Dsgn,  dvlp 
&  implmt  commercial  s/ware 
applies  using  C++  prgmg  lang., 
commercial  applic  frameworks, 
&  object-oriented  methodologies 
in  C/S  d/base  envrmt;  identify, 
dsgn,  dvlp  &  implmt  object- 
oriented  &  generic  reusable 
applic  components  &  parts; 
review  &  re-factor  existing  code 
base  to  improve  code  quality  & 
components’  reuse  rate  &  to 
resolve  performance/resource 
consumption  problems.  BS  in 
Math,  Comp  Sci,  Physics,  Eng  or 
rel.  field  +  lyr  exp  in  job  offd  or 
rel.  occupation  such  as  S/ware 
Engr  or  similar  duties  under 
different  job  title.  Exp  to  incl 
MacOS  &/or  Win  95/NT  &  C++  & 
object-oriented  prgmg.  Demon¬ 
strated  ability  to  analytically 
solve  problems  &  communicate 
clearly.  40  hr/wk,  $39K/yr.  Must 
have  proof  of  legal  auth  to  work 
in  US.  Send  resume  to  IA  Work¬ 
force  Ctr,  1700  S.  1st  Ave„  Ste 
1 1 B,  PO  Box  2390,  Iowa  City,  IA 
52244-2390.  Pis  refer  to  JO 
IA1 1 01 409.  Employer  paid  ad. 


♦ 


Database  Analyst.  Responsible 
for  designing,  implementing  and 
maintaining  database,  software 
tools  and  documentation  for 
Internet  based  financial  appli¬ 
cations.  Must  have  Master's 
degree  in  Finance,  Accounting, 
Information  Systems  or  related 
field.  Must  have  knowledge  of 
financial  data  analysis,  SQL, 
ASP,  C,  and  Visual  Basic.  Send 
cover  letter  and  resume  to 
Stockpoint,  Inc.,  Attn:  Ronald  E. 
Stablein,  2600  Crosspark  Road, 
Coralville,  Iowa  52241. 


SYSTEM  ANALYST  to  design, 
develop  and  analyze  Program 
Information  Management  System 
using  Visual  Basic,  Oracle  and 
object  oriented  programming; 
interface  between  COBRA  (Wel- 
com)  and  Primavera  Enterprise 
using  Visual  FoxPro;  develop 
and  support  invoicing  program  for 
COBRA  using  PowerBuilder, 
FoxPro  and  Dbase.  Require:  B.S. 
in  Computer  Science/Information 
System/Mathematics  and  two 
years  of  experience.  M.S.  degree 
may  be  substituted  for  B.S.  degree 
and  2  years  of  experience. 
Salary:  $75,000  per  year,  8  am 
to  5  pm,  M-F.  Apply  with  resume 
to:  HR  Manager,  4U  Services, 
Inc.,  1001  Virginia  Avenue,  Suite 
300,  Atlanta,  GA  30354  (Ref.  No. 
ATL001). 


SOFTWARE  ENGINEER  to 
provide  consultancy  in  design, 
analysis,  development  and  main¬ 
tenance  support  for  Customer 
Information  System  on  IBM 
mainframe  legacy  systems  using 
CICS,  COBOL  II,  DB2,  VSAM, 
JCL  and  Easy-Treive;  provide 
performance  review  of  on-line 
and  batch  application  code; 
analysis  and  performance  tuning 
of  SQL  used  in  data  processing 
programs.  Require:  M.S.  in 
Computer  Science  and  three 
years  experience  in  the  job 
offered  or  any  experience  pro¬ 
viding  skills  in  described  duties. 
Salary:  $65,000  per  year,  8  am 
to  5  pm,  M-F.  Apply  with  resume 
to:  CEO,  FI ,  Inc.,  359  S.  Franklin 
Street,  Valparaiso,  IN  46383- 
6423 


Sr.  Programmer  Analyst:  Convert 
project  specs  using  flowcharts, 
diagrams  and  design  techniques 
for  business  applications.  Perform 
systems  analysis,  modify  and 
enhance  applies  for  Peoplesoft 
Financials  by  using  PeopleTools, 
Invision  and  Java.  Provide  busi¬ 
ness  processes  enhancements, 
develop  Chart  field  level  security 
and  web-enable  applications. 
MS  Deg  in  Computer  Science  or 
BS  in  Computer  Applications  w/5 
years  progressive  experience. 
Sal  $75K/yr+Med  Benefit.  Resume 
to  VP,  Criterion  Software  LLC, 
1 20  Wood  Avenue  South,  #300, 
I selin,  NJ  08830. 


Managing  Consultant 
Direct  activities  of  Application 
Consultants  defining  solutions 
and  delivering  services  to  clients 
deploying  enterprise  applications. 
Must  have  MS  in  EE,  CS,  CE  or 
related.  Employer  will  accept 
MS  degree  or  its  equivalent  in  a 
BS  degree  followed  by  5  yrs 
progressive  experience  in  the 
field.  Send  resume  to:  Erin  Neagle, 
Human  Resources,  Recruiting 
Coordinator,  Extraprise  Group, 
321  Summer  Street,  Boston, 
MA  02210 


SENIOR  CATEGORY  ANALYST 
(Boca  Raton,  FL):  Collect,  scrub, 
&  classify  retail  customer  sales 
&  inventory  data;  assist  in 
planogram  process  for  lay  retail 
customers;  evaluate  &  critique 
customer  SKU  forecasts;  also 
develop  SQL  queries  for  data 
reporting  store  and  streamline 
current  reports  &  analysis 
through  automation  tools  such 
as  Access;  Req.  MBA  plus  1  yr 
exp.  in  job  offered  or  as 
Merchandise  Analyst.  Resume 
to:  Barbara  Yamulla,  Director  of 
Human  Resources,  New  Dana 
Perfumes,  Corp.,  470  Oakhill 
Rd.,  Mountaintop,  PA  18707. 


Software  Engineers  (multiple 
positions)  sought  by  Dallas, 
Texas-based  Comp  S/ware 
Consultancy  firm.  Must  have 
Bach  or  equiv  in  Comp  Sci  or 
engg  &  1  yr  s/ware  exp.  Respond 
to:  HR  Dept,  Innovative  Business 
Solutions,  Inc.,  5353  Alpha 
Road,  Suite  108,  Dallas,  TX 
75240. 


Web  Services  Director  for 
benefits  consulting  firm.  Leads  & 
manages  functional  &  technical 
integration  of  web-based  bene¬ 
fits  platforms  with  existing  HRIS 
systems.  Knowledge  ERP,  SAP, 
HR,  ASAP,  Peoplesoft.  BS  Com¬ 
puter  Science/Math/Engineering. 
Resumes  to:  careeronportunities 
acwcainc.com 


Network  Engineer:  configuration, 
installation  &  administration  of 
network  sys.,  standardize  soft¬ 
ware;  in-store  &  on-site  repairs 
to  network  server  or  station. 
Provides  technical  support  & 
answers  trouble  calls.  Req.  BS  or 
equiv.  in  CS  or  CIS  w.  proficiency 
in  Windows  NT,  AIRNET  &  Novell. 
$49,000/yr,  40  hr/wk,  8-5.  Contact 
L  Atlanta  Electronics  Inc.  dba 
Leadman  Electronics  USA,  Inc. 
5470  E  Oakbrook  Pkwy,  Norcross, 
GA  30093,  fax:  770-448-0054 


Computer  Support  Specialist: 
Provide  technical  assistance 
and  support  for  system  users. 
Answer  clients'  questions  con¬ 
cerning  NT  Server/Workstation, 
WIN  95/98/00,  software  such  as 
SBT  and  Peachtree.  Provide 
database  support  for  Access, 
Oracle,  SQL,  and  Visual  Basic. 
BS  and  1  year  exp.  (will  accept 
MS)  Send  resume:  HR,  PC 
Warehouse,  70  East  Palisades 
Avenue,  Englewood,  NJ  07631. 


Softwai^DHHmBBgl 
Analysts  wanted  for  IT  consulting 
firm  in  New  Hyde  Park,  NY. 

Duties  require  designing,  devel¬ 
oping,  maintaining,  implementing, 
interfacing  and  customization  in 
Oracle/Oracle  Application  Pack¬ 
ages  using  Oracle  Applications, 
Oracle  Financials,  Oracle  Projects, 
Oracle  Manufacturing,  Oracle, 
Developer  2000,  Designer  2000, 
Forms,  Reports,  SQL  Loader, 
PL/SQL,  SQL  Plus,  C,  Pro’C, 
Unix,  Windows  and  Oracle  Tools. 

Sftwre  Engnrs  require  Master's 
degree  or  equiv  in  Comp.  Sci, 
Electronics,  Physics,  Math  or 
Engg,  &  3  yrs  exp  or  Bach  &  5 
yrs  of  prog  exp.  Progmr/Anlysts 
req  Bach  or  equiv  &  2-4  yrs  exp. 

Respond  to  VP,  S  &  S  Information 
Systems,  33  Durham  Road,  New 
Hyde  Park,  NY  11040.  Fax: 
516-616-4092,  e-mail:  ssinfosys 
@  aol.com 


SR  SOFTWARE  ENGINEER 
Code,  design,  implement  &  maintain  product  modules  8c 
sub-systems.  Develop  test  product  specs.  Assist  with  design 
parameters.  Serve  as  technical  resource  for  project  team  Sc 
lead  engineer.  Review  functional  specs  Sc  design  8c  code  of 
modules  8c  sub  systems.  Design  test  plans  Sc  conduct  testing 
8c  code  enhancements.  Research  &  develop  solutions  to 
problems.  Min.  req’s:  BSc  in  CS  plus  5  yrs’  exp  in  sftwr 
design  8c  dvlpmt  or  MSc  in  CS  or  related  field.  Must  have 
unrestricted  authorization  to  work  in  U.S.  Please  indicate 
Reference  Code  IMSS  when  sending  your  resume. 

PRINCIPAL  SOFTWARE  ENGINEER 
Lead  team  of  design/development  engineers.  Code,  identify, 
cost,  and  deliver  enhancements.  Design  and  code  GUI. 
Perform  text  processing  and  design  data  structure.  Min. 
req’s:  Bach  in  comp  sci,  electronic  eng,  or  related  field  plus  3 
yrs’  exp  in  sftwr  design  8c  devlpmt.  Must  have  unrestricted 
authorization  to  work  in  U.S.  Please  indicate  Reference  Code 
IMAA  when  sending  your  resume. 

An  EOE.  Please  mail  or  fax  your  resume,  indicating  appro¬ 
priate  Reference  Code,  to:  Iris  Associates,  ATTN:  Kendra 
Langevin,  Human  Resources,  Five  Technology  Park  Drive, 
Westford,  MA  01886;  Fax:  978/692-5001.  Email: 
kendra_langevin@iris.com 


Computer  Support  Specialist  to 
install,  modify  and  make  minor 
repairs  to  computer  hardware 
and  software  systems  and  pro¬ 
vides  technical  assistance  and 
training  to  system  users:  diagnoses 
computer  hardware,  software 
and  operator  problems;  performs 
or  instructs  hardware  and  software 
installation,  testing  and  repairs; 
perform  network  designing. 
Server  installing  and  TCP/IP  set¬ 
ting.  Enters  and  modifies  com¬ 
mands  and  observes  system 
functions  to  verify  correct  system 
operation.  Answers  technical 
inquiries  in  person  orvia  telephone 
concerning  system  operations. 
Writes  or  modifies  settings  or 
commands  for  programs  to  run 
under  different  operating  systems. 
Req:  BS  in  Computer  Information 
Systems  or  a  related  field,  ability 
to  diagnose  malfunction  and  failure 
of  computer  or  components 
without  using  manufacturer’s 
manual  or  specification.  $24k/yr; 
40hr/wk,  9am  to  5pm;  Fax  re¬ 
sume  to  (770)  810-8893,  attn: 
Jennifer  Hu. 


Position:  Senior  Software  Engi¬ 
neer.  Qualifications:  Must  have 
at  least  an  MS  degree  in  Com¬ 
puter  Science,  Electronic  or 
Electrical  Engineering  or  related 
plus  at  least  3  years  job-offered 
experience.  In  lieu  of  MS  degree, 
would  also  accept  a  BS  degree 
or  its  equivalent  in  the  above- 
mentioned  fields  of  study  plus 
five  years  of  progressive  job- 
offered  experience.  Must  have 
proof  of  legal  authority  to  work  in 
the  U.S.  Duties:  Design,  imple¬ 
mentation  (in  C  language)  and 
testing  of  multimedia  Internet 
protocols  such  as  H-323  based 
(a  VOIP  networking  protocol) 
audio  conferencing,  which  flows 
into  Company's  GSM  product 
across  various  platforms.  Utilize 
good  understanding  of  operating 
system  internals  to  analyze,  debug 
&  fix  software  defects  identified 
as  part  of  H-323  interworking 
function  for  GSM  product,  as 
well  as  a  good  understanding  of 
the  underlying  hardware.  Area 
of  Employment:  Colorado  Spnngs, 
Colorado.  Salary:  $65,410  per 
year,  40  hour  work  week.  Contact: 
Send  resume  to  Jim  Shimada, 
Colorado  Department  of  Labor 
and  Employment,  Tower  2,  Suite 
400,  1515  Arapahoe  Street, 
Denver,  CO  80202-2117;  refer 
to  Order  Number  CO  JL 1 1 20059. 


Computer  Prof’ls:  (1)  Openings 
for  Prog/Anal,  Syst’s  Anal,  DB 
Admin  or  Computer  Engg: 
Design,  develop  &  test  computer 
progs  for  busn  appl's  using  Java, 
Lotus  Notes,  C++,  VB,  ASP, 
Unix,  Oracle,  SQL  Server.  BS  in 
Comp  Sci,  Comp  Engg,  Info 
Syst's  or  Elec  Engg  (or  equiv)  & 
1  yr  exp.  (2)  Openings  for  Sr 
Prog  Anal,  DB  Design  Analyst, 
DB  Admin,  or  Computer  Engg: 
Design,  develop  &  test  computer 
programs  for  busn  appl's  using 
Java,  C++.  VC++,  VB,  ASP,  Unix, 
Oracle,  SQL  Server.  MS  in 
Comp  Sci,  Comp  Engg  (or 
equiv)  &  5  yrs  exp.  Resume:  HR 
Dept,  Fulcrum  Logic.  Inc,  313 
South  Ave,  Ste  1 02D,  Fanwood, 
NJ  07023. 


Senior  Software  Developer  - 
Duties  include  designing  and 
developing  advanced  computer 
software  systems  using  program¬ 
ming  languages  namely,  JAVA, 
C/C++  as  well  as  tools  such  as 
Visual  Cafd,  Visual  C++;  devel¬ 
oping  web  and  graphical  user  in¬ 
terfaces  from  new  and  existing 
systems;  using  core  web  tech- 
nologies-JSP,  Servlets,  COM, 
OLE  and  MFC  in  implementing 
solutions;  preparing  flowcharts 
and  design  document;  partici¬ 
pating  in  design  meetings  and 
consulting  with  other  staff  to 
evaluate  interface  between 
hardware  and  software.  -  40 
hours  per  week,  8:00am  to 
5:00pm  -  5  days  a  week. 
Requires  a  bachelor's  degree  in 
computer  science.  5  years 
experience  in  the  job  offered  or 
5  years  experience  in  the  related 
occupation  as  a  senior  technical 
consultant  or  programmer/analyst. 
Related  experience  in  the  occu¬ 
pation  as  senior  technical 
consultant  or  programmer/ 
analyst  in  using  object  oriented 
design  techniques;  using  pro¬ 
gramming  languages  C/C++; 
Visual  C++;  MFC;  using  interface 
design,  advanced  software 
programming  on  the  Microsoft 
windows  operating  system, 
preparing  flowcharts  and  design 
documents,  evaluating  user 
requests  for  new  or  existing 
systems.  Job  is  located  in 
Naples,  FL.  -  $71 ,000  per  year. 
Send  resume  to  Agency  for 
Workforce  Innovation/Bureau  of 
Workforce  Program  Support, 
P.O.  Box  10869,  Tallahassee,  FL 
32302.  Re:  JOFL  #  2191509. 


SAP  PROJECT  ENGINEER. 
Multiple  openings  for  full-time 
SAP  Project  Engineer.  Respon¬ 
sibilities  include:  manage  the 
design,  development,  and  imple¬ 
mentation  of  information  sys¬ 
tems  utilizing  ABAP,  Java,  and 
UNIX;  manage  the  customization 
and  integration  of  SAP  and  other 
software  solutions;  manage  the 
customization  of  SAP  (3/3  and 
implement  ERP  packages;  and 
manage  the  configuration  of 
SAP  software  for  all  areas  of 
corporate  operations  on  a  fully- 
integrated,  real-time  online  basis. 
Travel  as  required  to  Heidelberg 
sites  throughout  the  United  States 
Monday  -  Friday.  Must  have  a 
Bachelor's  Degree  or  foreign 
and/or  education  equivalent  in 
Mechanical  Engineering  and  5 
years  of  progressive  experience 
in  SAP  systems  analysis,  engi¬ 
neering,  or  related  field,  or  a 
Master's  degree  or  educational 
and/or  foreign  equivalent  as 
described  and  three  (3)  years  of 
progressive  experience  as  de¬ 
scribed.  Salary:  $1 10,386/year 
and  up,  commensurate  with  ex¬ 
perience.  Must  have  proof  of 
legal  authority  to  work  in  the 
United  States.  If  interested,  submit 
resume  to: 

Ms.  Alicia  Stignani 
Manager,  Human  Resources 

Heidelberg  USA,  Inc. 

1 000  Gutenberg  Drive 
Kennesaw,  Georgia  30144 
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PROGRAMMER/ANALYST 
DATABASE  ANALYST 


Offshore  Digital  Services  seeking  candidates  with  commercial  experience 
in  the  areas  listed  below  - 

•  programmer/analysts  and  application  programmers  with  2-7  years  com 
mercial  experience.  Candidate  should  have  a  BS  (or  foreign  equivalent)  in 
Computer  Science  or  a  related  field 

•  database  analysts  and  developers  with  minimum  3  years  commercial  ex¬ 
perience.  Candidate  should  have  an  MS  (or  foreign  equivalent)  in  Comput¬ 
er  Science  or  a  related  field 

Full  time  permanent  positions  are  available  in  the  San  Francisco  Bay  area, 
and  nationwide. 

Operating  System  -  Unix,  MS  Windows,  NT/95,  OS/2  RDBMS  -  Sybase, 
Oracle,  MS  SQL'Server,  Informix  Front-end  tools  -  Visual  Basic,  Power¬ 
Builder,  Developer  2000,  Designer  2000  Applications  -  ERP,  Inventory, 
Purchasing,  Distribution  Internet  Programming  Tools  -  Web  Servers,  ASP, 
Java  Languages  -  C,  C++, Perl 

Offshore  Digital  Services  provides  competitive  salaries,  benefits,  and  a 
bonus  program  designed  to  encourage  long-term  employment  and  in¬ 
creased  customer  revenue.  Interested?  Send  a  detailed  resume  with  post 
applied  for,  education  background,  project  experience,  and  geographic  pref¬ 
erences  to: 


The  Personal  Manager  Offshore  Digital  Services,  Inc. 
14798  Wicks  Boulevard  San  Leandro,  CA  94577  I 


OFFSHORE 


Fax:  510-483-1819  Email:  personnel@odsi.com 


BroadVision 

Personalizing  e-Business 
A  Comprehensive  Blueprint 
for  Exploiting  the  Business 
Potential  of  the  Net 

BroadVision  is  the  leading  sup¬ 
plier  of  Internet  application  solu¬ 
tions  for  one-to-one  relationship 
management  across  the  extend¬ 
ed  enterprise.  BroadVision's 
One-to-One  suite  of  applications 
support  mission-critical  business 
processes  with  robust  and  scalable 
architecture,  secure  transactions, 
and  high-performance  operations. 

We  are  looking  for  good  people 
in  these  areas. 

Software  Engineering 
Training 

Technical  Consulting 
Project  Management 
Marketing 
Customer  Support 
Publications 
Software  QA 
Sales 

Product  Management 
Administration 

Please  see  our  website: 
www.broadvision.com 
Staffing  FAX:  (650)  569-4334 
email:  hrQbroadvision.com 


MAGNA  INFOTECH,  a  fast 
growing  consulting  company 
is  looking  for  Programmer/ 
Analysts,  Software  Consultants 
and  Software  Engineers  with 
experience  in  one  or  more  of 
the  following: 


ERPsSap,  Baan  Implementation, 
Tools,  Admin 

UNIX:  C,  C++,  Shell,  AIX,  HP- 
UX,  Solaris  Admin,  Networking 

AS/400:  RPG/400,  COBOL/ 
400,  CL,  BPCS,  JD  Edwards. 
Synon 

WINDOWS:  VC++,  VB,  PB, 
MFC,  OLE/COM,  Admin 

REAL  TIME:  Microprocessor, 
RTOS  Programming 

INTERNET:  Java,  Javascript, 
CGI,  Peri,  WAP.  Admin,  Active 
X,  ASP 

DATABASE:  Oracle,  Informix, 
Sybase,  DB2  Admin  Developer 
2000,  Designer  2000 

Sales  Manager  /  Marketing 
Manager;  must  have  at  least  2 
years  of  Sales  experience,  BA 
Degree  or  Foreign  Equivalent 
Degree  and  basic  computer 
skills. 

Multiple  positions  exist  at 
various  sites  across  the  US. 

If  you  are  interested  please 
mail  your  resume  clearly 
mentioning  the  reference 
number  CW0300  to: 

Attention  Recruiting  Dept., 
Job  Ref.  CW1000,  Magna 
Infotech  Ltd.  1  Padanaram 
Rd.,  Suite  208,  Danbury,  CT 
06811-4833. 


Software  Project  Manager  wanted 
by  software  R&D  co.  in  Culver 
City,  CA.  Must  have  bachelor's 
degree  in  computer  sci,  engi¬ 
neering  or  rel.  field  +  2  yrs  exper. 
with  complex,  large  scale  s/w 
projects  through  all  phases  in 
UNIX  envir.  using  C,  C++  and 
obj.  oriented  devel.  Will  supervise 
other  s/w  professionals.  Send 
resume  to  Human  Resources, 
400  Corporate  Pointe,  Suite  855, 
Culver  City,  CA  90230. 


Computer  Positions:  Programmer 
Analyst,  System  Analyst,  Soft¬ 
ware  Analyst,  Network  Analyst, 
Systems  Engineers,  Network  En¬ 
gineers,  Database  Analysts,  IT 
Marketing  Specialist,  and  other 
technical  professional.  Multiple 
openings.  Nationwide  client  sites. 
We  need  professionals  with  at 
least  a  bachelor's  degree  in 
computer  science,  engineering, 
mathematics,  statistics,  related 
technical  fields,  or  any  business 
and  1+  year  of  relevant  experi¬ 
ence.  Fax  resumes  to  212-244- 
5082,  att:  Dept.  MIL. 


SOFTWARE  ENGINEER  to 
design  and  develop  database 
systems  using  Oracle  Developer 
and  web  development  tools;  and 
design,  develop,  analyze  and 
implement  client/server  and  web 
based  applications  including  GUI 
design  and  development  using 
PL/SQL  and  SOL'Plus  on  various 
operating  systems.  Require: 
Masters  in  Computer  Science/ 
Electronics  Engineering  and 
three  years  experience  in  the  job 
offered  or  any  experience  providing 
skills  in  described  duties.  Bach¬ 
elors  and  five  years  experience 
may  be  substituted  for  Masters 
and  three  years  experience. 
Salary:  $67,050  per  year,  8  am 
to  5  pm,  M-F.  Apply  with  resume 
to:  Director,  Systems  Development, 
Georgia  Department  of  Natural 
Resources,  205  Butler  Street, 
Suite  1252,  Atlanta,  GA  30334. 


Software  Developer.  Develop 
and  customize  base-line  web 
applications  for  Human  Re¬ 
source  Management.  Responsi¬ 
ble  for  security  administration  of 
database,  quality  assurance, 
and  customer  support.  Must 
have  B.S.  in  Computer  Science, 
Engineering,  or  related  field, 
2  years'  experience  as  Software 
Developer  or  any  suitable 
combination  of  education,  training 
or  experience.  Must  have  knowl¬ 
edge  of  ASP,  JavaScript,  HTML, 
VBScript,  Access,  and  SQL. 
Send  resume  and  cover  letter  to 
HRSoft,  LLC,  Attn:  Paul  Brook, 
505  North  4th  Street.  Fairfield, 
Iowa  52556 


Application/Graphical  Web 
Developer  needed  in  Dallas, 
Texas  area  for  website  and  web 
application  development,  spe¬ 
cializing  in  web  graphics/human 
interface  design  and  application, 
business  material  graphics 
design,  graphical  user  interface 
standards  research  development, 
client-side/server-side  web  pro¬ 
gramming,  database  ptogranmihg. 
and  web  development  using 
graphical  tools  for  image  editing 
and  graphics  design,  programming 
environment  tools  for  software 
development.  Requires  3  years 
in  job  offered.  Send  resume  to 
RiverRock  Systems,  P.O.  Box 
990  Addison,  Texas  75001  -0990, 
refer  to  Code:  GUIWD. 


Systems  Engineer  needed  to 
research,  design  and  develop 
computer  software  systems,  in 
conjunction  with  hardware  product 
requirements,  applying  principles 
and  techniques  of  computer 
science,  engineering  and  math¬ 
ematical  analysis.  Degree  and 
experience  required.  Send 
resumes  to  Michael  T.  Wilson, 
President,  Joseph  Graves 
Associates,  Inc.,  3077  East  98th 
Street,  Suite  160,  Indianapolis, 
IN  46280-1970. 


Software  Engineer.  Plan,  develop, 
test  and  document  PC-based 
software  modules  to  implement 
the  intelligent  process  optimization 
algorithm  using  C++,  and  Win¬ 
dowsNT/2000.  Develop  informa¬ 
tion  retrieval  and  database 
processing  application  and 
customized  graphic  user  inter¬ 
faces.  Must  have  B.S.  in  Com¬ 
puter  Science  or  related  field 
and  knowledge  of  C++,  COM+, 
Visual  Basic,  SQL,  ASP  and 
HTML.  Send  cover  letter  and 
resume  to  Stockpoint,  Inc., 
Attn:  Ronald  E.  Stablein,  2600 
Crosspark  Road,  Coralville,  Iowa 
52241. 


Full  time  Web  Designer  Respon¬ 
sibilities  include:  Design,  develop 
and  implement  website  applica¬ 
tions  for  prominent  technologically 
advanced  financial  services 
administration  cJHHBB  Construct 
HTML  pages  utilizing  Jscript, 
JAVAScript,  CGI  Script,  and 
Frontpage  98;  design  and  develop 
cascading  tile  sheets  and  animat¬ 
ed  pages  utilizing  Dreamweaver 
and  Adobe  Photoshop;  and 
design  and  test  page  links.  Must 
have  a  Bachelor’s  degree  or  its 
foreign  and/or  educational  equiv¬ 
alent  in  Computer  Science  and 
two  years  of  experience  in  web 
development  or  software  engi¬ 
neering.  Must  have  proof  of  legal 
authority  to  work  in  the  United 
States.  Salary:  $  68,203  per  year 
and  up,  commensurate  with 
experience.  If  interested,  submit 
resume  to: 

Ms.  Katherine  Kyle 
Warranty  Corporation  of  America 
3110  Crossing  Park  Road 
Norcross,  Georgia  30071-1367 


Software  Eng.  positions  in  Clear 
Lake/Houston  TX. 

System  Software  Eng. -one-year 
exp.  &  Masters  degree 

Application  Software  Eng.-Bach- 
elor's  degree 

Send  resume  and  salary  require¬ 
ments  to  Automation  Solutions, 
Inc.,  930  Gemini,  Houston,  TX 
77058,  or  email:  autosol® 
autosoln.com  or  fax:  281-286- 
6902. 


Software  Engineers,  Programmer/ 
Analysts  &  Jr.  Programmer/Ana¬ 
lysts  needed  in  A,  B,  C,  D,  E,  F, 
G:  (A):  CICS,  DB2,  Adabas,  VSAM, 
Cobol,  Natural;  (B):  Rational  Rose, 
OMC,  Java,  Weblogic,  XML, 
Oracle,  SQL  Server;  (C)  Oracle 
7.X/8.X,  Peoplesoft  and  related 
tools;  (D)  Java,  C,  C++,  Oracle  & 
related  tools,  (E)  Java  on  AS/400, 
DBUSO,  Surveyor/400,  Sublices, 
HTML,  Javascript  (F)  Mainframe 
Applications  &  EDI  using  RPG 
400,  SQL  400,  AS  400,  Java, 
and  related  internet/web  tools 
(G)  Multiple  positions. These  are 
consulting  positions  requiring 
travel.  Contact:  HR,  Prosoft 
Technologies,  Inc.,  3300  Buckeye 
Rd.,  Suite  379,  Atlanta,  GA 
30341.  EOE. 


Systems  Administrators  needed 

to  configure,  administer,  maintain 

&  manage  various  servers  & 

systems.  Apply  to  Global 

Consultants,  601  Jefferson  Rd, 

Parsippany,  NJ  07054. 


User  Support  Analyst.  8a-5p.  40 
hrs/wk.  Analyze,  test  &  resolve 
comp  h/ware  &  s/ware  problems 
of  users  related  to  dsgn  & 
implmtn  of  bus  applies,  prgms  & 
operating  systm  using  Oracle, 
VB,  SQL,  dbase  &  Lotus  1  -2-3. 
Bach  or  equiv  deg  in  Bus  Admin, 
Comp  Sci,  Electrical,  Electronics 
or  related  field  of  Engg.  2  yrs  exp 
in  job  offd  or  as  Systms/Prgmr 
Analyst.  Send  resume  w/ref  #003 
to:  Dushyant  Patel,  President, 
Nextgen  Infotech,  Inc.,  2090 
Beaver  Ruin  Rd.,  Ste  600, 
Norcross,  GA  30071 . 


SOFTWARE  ENGINEER  sought 
by  computer  consulting  co.  in 
Houston,  TX.  Must  have  M.S.  in 
Comp.  Sc.,  or  Electrical  Engi¬ 
neering  plus  6  mos.  exp.  Respond 
by  resume  to  Mr.  J.L.  Ogle, 
President,  Network  &  Program¬ 
ming  Services,  Inc.,  900  Thread- 
needle,  Suite  450,  Houston,  TX 
77079. 


Full  time  Computer  Consultant 
responsible  for  design,  write  and 
document  new  on-line  and  batch 
applications  for  the  AS/400 
system  using  RPG/400  ILE,  CL, 
Query/400  and  SQL  programming 
languages.  Develops  interfaces 
between  systems  in  a  multi-plat¬ 
form  environment,  specifically 
between  IBM  AS400,  IBM  Main¬ 
frames  and  PC  platform.  Must 
have  a  Bachelor's  degree  in 
Computer  Science  and  2  years  of 
experience  in  the  job  offered  or 
position  with  same  duties.  Salary 
$70,000/yr.  Send  resumes  to: 
Laura  Kelley  at  ACSYS  Inc.  2400 
Lakeview  Parkway,  Suite  500 
Alpharetta,  GA  30004. 


Call  your 

ITcareers  Sales  Representative 
or  Janis  Crowley. 
1-800-762-2977 
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It  may  not  be  grabbing  the  headlines  as  much  as 
other  stories,  but  there  are  a  bevy  of  IT  companies  who 
continue  to  face  that  great,  though  tough,  situation  of 
being  somewhere  between  “whoa”  and  “wow”  -  slow 
this  thing  down  and  let’s  race  to  keep  up. 

The  majority  of  such  companies  are  those  using  the 
Internet  as  an  enabler  for  a  strong  business  proposition  - 
from  helping  job  seekers  to  cutting  the  red  tape  involved 
with  everyday  business  operations. 

Govjobs.com  of  Costa  Mesa,  CA,  falls  within  the  first 
category  -  using  the  Internet  to  enable  job  seekers  to  scan 
the  opportunities  of  the  United  States’  largest  employer,  its 
federal,  state  and  local  government  agencies. 

GovJobs.com  lists  jobs  from  recreational  coordinators 
to  IT  professionals,  pairing  up  job  applicants  with  the  jobs 
listed  by  employer  agencies.  In  addition,  the  site  provides 
pay  tables  for  federal  positions  and  tips  on  landing  jobs  with 
the  government  agencies. 


The  second  category  is  one  filled  by  Freddie  Mac,  a 
leading  mortgage  broker  based  in  McLean,  VA.  Freddie  Mac 
provides  underwriting  products  to  assist  mortgage  lenders  in 
providing  home  loans  to  their  customers.  “One  of  our  goals 
is  to  respond  to  mortgage  lenders  and  brokers  on  a  purchase 
decision  of  a  mortgage  within  two  minutes,”  says  Dwight 
Handon,  senior  director  of  e-business,  infrastructure  and 
integration  at  Freddie  Mac.  “This  requires  the  most  savvy  of 
information  technology  for  our  customers  and  for  the  4,000 
people  who  work  here.” 

Jason  Whitley,  president  and  general  manager  for 
GovJobs.com,  says  his  company  continues  to  hire  up  to  meet 
market  demand  for  the  three-year-old  company.  “There  is 
the  potential  for  ground-floor  opportunities,”  he  says.  The 
company  will  be  extending  its  services  in  2002  to  include  job 
fairs  to  be  held  across  the  country  and  web  development  for 
smaller  city  and  township  governments  who  don’t  currently 
have  an  Internet  presence  or  online  employment  pages. 
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“We  are  looking  for  dot-com  enthusiasts  with,  or 
without,  human  resources  or  staffing  backgrounds  who  want 
to  learn  about  and  work  with  the  nation’s  government,” 
Whitley  says.  “We’ll  be  hiring  executive  management,  opera¬ 
tions  and  customer  service,  systems  and  security  personnel.” 

The  IT  challenges  at  Freddie  Mac  range  from  automat¬ 
ed  underwriting  to  a  dark  fiber  network  on  the  Freddie  Mac 
campus  to  deploying  applications  using  JAVA  technology. 
“From  a  data  warehousing  standpoint,  we  are  making 
terabytes  of  data  easily  accessible  to  all  employees, 
anywhere  at  any  time,”  says  Handon. 

In  addition  to  being  named  one  of  Computenuorld's 
“100  Best  Places  to  Work  in  IT”  and  being  recognized  for  its 
benefits  and  compensation  program,  Freddie  Mac,  along 
with  ESI-International,  designed  a  seven-course  training 
program  to  significantly  increase  employees’  project 
management  skills.  “The  program  provides  our  employees 
with  a  master’s  certificate  in  IT  project  management  from  the 
George  Washington  University,”  explains  Handon.  “This 
program,  along  with  the  many  others  we  offer,  demonstrates 
our  commitment  to  training  and  development  for  our 
employees."  Through  May,  29  employees  have  graduated 
from  the  program  and  another  140  are  currrently  enrolled. 


For  more  job  opportunities  with  Internet  firms,  turn  to  the 
pages  of  ITcareers. 

•  If  you'd  like  to  take  part  in  an  upcoming  ITcoreers  feature,  contact 
Janis  Crowley,  650.312.0607  or  janis_crowley@itcareers.net. 

•  Produced  by  Carole  R.  Hedden 

•  Designed  by  Aldebaran  Graphic  Solutions 


Talent  is 
the  fuel 
of  the  new 
economy. 

Fill  up  with 
ITcareers. 


ITcareers  and 
ITcareers.com  can  put 
your  message  in  front  of 
2/3  of  all  US  IT  profession¬ 
als.  If  you  want  to  make 
hires,  make  your  way  into 
our  pages.  Call  Janis 
Crowley  at 
1-800-762-2977 
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Chief  Technology  Officer.  $6,010- 
$7, 670/mo.  This  is  the  Depart¬ 
ment  Head  position  for  the 
Information  Systems  Depart¬ 
ment.  Requires  at  least  5  yrs  of 
progressively  responsible  expe¬ 
rience  in  systems  analysis/ 
design  and  business  applications, 
including  demonstrated  experi¬ 
ence  in  program  management 
and  supervision  of  technical  staff 
AND  a  Bachelor's  Degree  in 
technology,  business  or  public 
administration.  A  Master’s  Degree 
is  highly  desirable.  Closes  7/30/01 . 
See  www.co.shasta.ca.us  or 
call  (530)  225-5078  for  job  appli¬ 
cations,  job  flyers  describing 
qualifications,  important  applica¬ 
tion  information  and  attributes  of 
living  and  working  in  Shasta 
County.  EOE 


Trusted 
by  more 
hiring 
managers 
than  any 
IT  space 
in  the 
world. 

.com 


Inlbsys* * 

POWERED  BY  INTELLECT 

ORIVEN  BY  VALUES 


INFOSYS  (NASDAQ:  INFY)  is  an  acknowledged  world  leader 
in  software  consulting,  with  an  excellent  reputation  for  qual¬ 
ity  solutions,  customer  satisfaction  and  employee  retention. 
We  are  hiring  high-caliber  professionals  with  exceptional 
conceptual  and  communication  skills. 


Business  Development  Managers 


Hunter  profile  -  will  prospect  for  new  business;  additionally  will  establish  and  manage 
long-term  high-value  relationships  with  targeted  customers.  Candidate  must  have  BS/BA 
in  technical,  engineering,  CS  related  field  or  significant  management  experience  + 
MBA/MS-in-management  or  equivalent.  Positions  open  at  listed  branches. 


Will  handle  IT-strategy  consulting  engagements  in  e-business,  ERP,  CRM  etc.  Must  have 
strong  consulting  background  with  BS/BA  in  technical,  engineering,  CS  related  field  + 
MBA/MS-in-management  or  equivalent. 


Will  leverage  strong  understanding  of  business  domains  and  processes  to  help  forge  IT 
based  solutions  for  complex  business  problems.  Must  have  Master’s  degree  or  equivalent 
relevant  experience.  For  senior  level  position,  MA  degree  or  equivalent  and  3+  yrs.  exp. 
or  equivalent  is  required. 


Software  Development  Managers,  Project  Leads, 
Senior  Systems  Analysts,  Systems  Analysts  & 
Programmer  Analysts 


Conduct  application  development  at  various  levels  of  complexity  and  team  participation. 
Seeking  candidates  for  our  Software  Development  Manager  positions  with  MS  degree 
and  5+  yrs.  exp.  or  BS  degree  and  8+  yrs.  exp.  Seeking  candidates  for  our  senior  level 
positions  with  MS  degrees  +  3-5  yrs.  exp.  Seeking  candidates  for  our  entry  level 
positions  with  BS  degree. 

Technical  and  consulting  positions  rotate  through  worksites  nationwide. 

When  applying,  please  mention  position  and  location  preference.  We  offer  competitive 
compensation,  excellent  professional  development  and  benefits.  Apply  to:  Human  Resources, 
34760  Campus  Drive,  Fremont,  CA  94555.  E-mail:  careers  usa  ©infy.com.  EOE 


www.infy.com 


Computerworld  •  InfoWorld  •  Network  World  •  July  9, 2001 


CW010709N  1 


vLTl 


careers.com 
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COMPUTER/IT 

Programmer-Analyst.  Requires 
a  Bachelor's  degree  or  higher  in 
Computer  Science,  Mathematics, 
or  Engineering  and  2  years' 
experience  in  the  job  ottered  or 
2  years'  experience  in  the  devel¬ 
opment  of  SAP  R/3  modules  for 
financials,  manufacturing  and 
sales/distribution.  All  of  the  stated 
experience  must  have  included: 
Application  Link  Enabling  (ALE) 
and  Business  Application  Pro¬ 
gramming  Interface  (BAPI) 
development  and  configuration 
in  SAP  R/3;  development  of 
SAPScript  in  SAP  R/3;  develop¬ 
ment  of  enhancements,  reports, 
interfaces  &  conversions  in  SAP 
R/3;  and  performance  analysis  & 
tuning  of  SAP  R/3  programs  & 
dialogs.  Experience  must  include 
one  full  lifecycle  of  SAP  R/3 
development.  [Will  also  accept 
foreign  education  deemed  equiv¬ 
alent  to  a  bachelor's  degree  or 
three  years  of  university-level 
credit  emphasizing  one  of  the 
stated  fields  &  one  additional 
year  of  the  stated  experience.) 
Engage  in  development  of  SAP 
R/3  modules  for  financials,  man¬ 
ufacturing,  and  sales  /  distribution 
over  a  full  lifecycle  in  an  auto¬ 
motive  production  facility.  Develop 
SAPScript  in  SAP  R/3.  as  well  as 
engage  in  Application  Link 
Enabling  (ALE)  &  Business 
Application  Programming  Interface 
(BAPI)  development  and  config¬ 
uration  in  SAP  R/3.  Develop 
enhancements,  reports,  interfaces, 
and  conversions  in  SAP  R/3. 
Resp.  for  performance  analysis 
&  tuning  of  SAP  R/3  programs  & 
dialogs.  Enhance  the  LIFO,  API, 
and  Super-Backflush  custom 
processes  that  are  built  in  SAP 
R/3.  Provide  comprehensive 
technical  designs  by  way  of  data 
flow  diagrams,  unit  test  plans, 
and  pseudo  code.  Construct 
efficient  ABAP/4  code  and  engage 
in  applications  development 
using  IDOC  and  BAPI  structures. 
Provide  technical  support  to  the 
existing  production  environment. 
Apply  with  resume  to:  Ms. 
Jennifer  McKenzie.  Delphi  Auto¬ 
motive  Systems  Corp.,  5725 
Delphi  Drive,  Troy,  Michigan 
48098. 
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Real  estate  related  financial 
information  services  company 
located  in  Ft.  Lauderdale,  Florida, 
seeks  to  hire  Software  Program¬ 
mer/Analyst  to  plan,  develop, 
test  and  document  computer 
programs;  program  in  Adabas/ 
Natural,  Cobol  and  JCL;  evaluate 
clients  systems  and  program 
requests;  develop  solid,  reusable 
components  and/or  scalable 
systems  solutions  for  clients; 
create  solutions  from  functional 
and/or  technical  specifications; 
create  user  documentation  and 
technical  documentation  for 
clients;  perform  unit  testing  and 
system  testing;  perform  debug¬ 
ging  and  troubleshooting;  ensure 
standards  compliance;  and  provide 
training  and  technical  support 
and  maintenance  to  clients. 
Bachelor's  degree  in  Computer 
Science  or  related  field  or  work 
experience  equivalent  to  a 
Bachelor's  degree  in  Computer 
Science  or  related  field  required. 
Two  (2)  years  of  work  experience 
as  a  software  programmer/ana¬ 
lyst  or  in  software  design  and/or 
development  also  required.  The 
two  (2)  years  of  work  experience 
or  related  work  experience 
should  include  tow  (2)  years  of 
Cobol  and  JCL  and  one  (1)  year 
of  Adabas/Natural.  Salary: 
$40,040.00  per  year.  Work 
hours:  8  a.m.  to  5  p.m.,  40  hours 
per  week.  Send  resume  to: 
Agency  for  Workforce  Innovation 
ALC/Unit,  P.O.  Box  10869, 
Tallahassee,  FL  32302-0869. 
Job  Order#  FL-21 89525.  EOE 


SOFTWARE  ENGINEERS, 
CONSULTANTS,  PROGRAMMERS, 
PROGRAMMER  ANALYSTS, 
PROJECT  LEADERS 

Due  to  our  rapid  growth,  we  have 
immediate  Full-Time  opportunities  for 
both  entry  level  and  experienced 
individuals  with  any  of  the  following 
skills:  MAINFRAME  -IMS,  DB/DC, 
DB2,  CICS,  COBOL,  MVS/ESA,  VSAM, 
JCL,  TSO/ISPF  -Focus,  IDMS,  SAS 
•Telon.  Natural  Adabas  &  REXX 
MIDRANGE  -AS400,  RPG/400,  Synon 
&  COBOL,  COBOL/400  DBA  -Oracle, 
Sybase,  DB2  &  IMS  CLIENT  SERVER 
•Informix,  C,  Unix,  C++,  Visual  C++ 
•CORBA,  OOD  or  OOPS,  LAN/WAN 
•Novell  or  WinNT,  Sybase,  Access, 
Power  Builder,  SQL  Server,  Visual 
Basic  -IEF,  JAVA,  HTML,  Active  X  or 
Web  Commerce.  XML,  XSL,  WAP,  EJB 
•Oracle  Developer/Designer  2000 
•Oracle  Applications  &  Tools  "Unix 
System  Administrator  -Lotus  Notes 
Developer  -SAP/R3.  ABAP/4  and 
/or  modules  -PeopleSoft,  Baan. 
Bachelor's  or  Master's  degree  required, 
depending  on  position.  We  also 
accept  equivalent  in  education  and 
experience.  Please  forward  your 
resume  and  salary  requirements  to: 

Attn:  Recruiter 
Wizard  Business  Systems,  Inc. 
1711  West  Greentree  Dr.,  #104 
Tempe,  AZ  85284 
Ph:  480-705-6921 
Fax:  408-705-6926 
E-mail:recruiter@wiza  rdbusiness.com 
An  Equal  Opportunity  Employer 


Data  Architect/DBA 
Design,  develop,  customize  and 
admin  Oracle  db.  Plan  and 
develop  IT sys  and  complex  s/w 
apps.  Exp  must  include  data 
modeling  and  ETL.  Must  work  in 
a  team  using  dev  and  proj  mgmt 
tools.  Cands  must  be  Oracle 
Certified  &  have  proficiency  with 
current  releases  and  tools:  Oracle 
Developer,  Designer,  Discoverer, 
Server  &  Enterprise  Mgr.,  JDBC 
&  ODBC.  Resp  includes:  dw 
framework  design,  log  &  phys  db 
design  (OLTP  and  DSS),  db  & 
tools  installation  and  customiza¬ 
tion,  db  &  app  tuning.  Manage 
and  monitor  db:  perf  and  user 
mgmt,  review  and  optimize 
stored  procs  and  triggers,  backup 
and  recovery  procs  inc  disaster 
recovery,  config  Oracle  Web 
Servers  &  db  security  mtce.  SQL 
and  PL/SQL,  UNIX  (Solaris, 
Linux,  HP-UX,  AIX),  Shell 
Scripts,  Win  NT/2000.  MS  in  CS 
or  App.  Math  +  min.  3  years  exp. 
Send  2  copies  of  resume  to: 
GRT  Corp,  Dept.  FG,  777  Summer 
St.,  Stamford,  CT  06901 
EOE/M/F/D/V 


SYSTEMS  ANALYST:  Respon¬ 
sible  for  gathering  and  analyzing 
user  requirements  to  automate 
processing  or  to  improve  existing 
computer  systems.  Using  knowl¬ 
edge  of  hardware,  software, 
programming  languages  and 
operating  systems  including 
knowledge  of  Web  based  systems 
architecture,  relational  database. 
UML  (Unified  Modeling  Language) 
and  Object  Oriented  Analysis 
and  Design  methodology.  Ability 
to  plan,  implement,  test  and 
troubleshoot  system  software; 
ability  to  transform  user  require¬ 
ments  into  technical  specifications; 
ability  to  train  users  during 
implementation  phase.  Minimum 
of  2  years  experience  in  job 
offered.  Competitive  salary,  full 
time  job,  Mon  -  Fri  (may  require 
evening  and  weekends),  posi¬ 
tions  available  in  Coral  Springs, 
FL;  Atlanta,  GA;  Albany,  NY.  No 
calls,  mail  resumes  with  reference 
number  010  att:  L.  Fernando 
Jaramillo,  Softtek:  2900  University 
Drive,  Coral  Springs,  FL  33065 


DATABASE  ADMINISTRATOR 
to  administer,  develop,  analyze, 
test,  implement  and  maintain 
Oracle  databases  using  Oracle, 
PL"  SQL,  SQL  and  PowerBuilder 
under  SUN  Solaris,  AIX,  Linux, 
UNIX  and  Windows  95/98/NT 
operating  systems;  Administration 
duties  include  installation  of 
Oracle  databases  and  develop¬ 
ment  tools,  backup  and  recovery, 
creation  and  monitoring  of  users 
tables,  indexes,  constraints,  views, 
synonyms,  role  and  privileges; 
Tune  databases  for  optimum 
performance  and  perform  trou¬ 
bleshooting.  Require:  B.S.  degree 
in  Computer  Science,  and  Engi¬ 
neering  discipline,  or  a  closely 
related  field  with  five  years  of 
progressively  responsible  expe¬ 
rience  in  the  job  offered  or  ad  a 
Programmer/Analyst.  Extensive 
travel  on  assignment  to  various 
client  sites  within  the  U.S.  is 
required.  Salary:  $75,000  per 
year,  8:30  am  to  5:00  pm,  M-F. 
Send  resume  to:  Sherry  D.  Lucki, 
President  ABT  Solutions,  8517 
South  Park  Circle,  Suite  218, 
Orlando,  FL  3281 9;  Attn:  Job  AT. 


Software  Engineer 
Des,  dev  and  imp  sophisticated 
web  based  applications.  Plan 
and  dev  IT  sys  and  multi-tier 
distributed  computing  s/w  apps. 
Exp  must  inc  proficiency  in  OOD, 
OOA  &  modern  s/w  methods  for 
bldg  sys  arch  &  apps.  Cands 
must  be  Sun  Certified  in  Java  & 
have  exp  with  current  techs: 
Java,  JDK,  J2EE,  EJB,  Servlets, 
JSP,  Java  Beans,  JFC/Swing, 
JDBC,  ODBC,  CORBA,  COM/ 
DCOM.  Must  work  in  a  team 
with  multiple  platforms  inc  Sun 
Solaris  &  UNIX.  Adv  knowledge 
of  RDBMS  systems  esp  Oracle 
required.  Resp  inc  app  life  cycle 
dev,  imp  and  rollout.  Ability  to 
produce  tech  doc  req.  MS  in  CS 
or  App.  Math  +  min.  3  years  exp. 
Send  2  copies  of  resume  to: 
GRT  Corp,  Dept.  FG,  777  Summer 
St.,  Stamford,  CT  06901 
EOE/M/F/D/V 


Senior  Consultant-Team  Leader. 
Lead  team  in  the  design,  devel¬ 
opment  &  testing  of  software  for 
internet  applications.  Database 
design.  Tools:  Visual  Basic,  MS- 
Access,  MS-SQL  Server,  Active 
Server  Pages,  HTML,  Windows 
NT.  M.S.  in  Comp.  Sci.  or  Mgmt 
Info.  Systems  +  1  year  exp.  in  job 
offered  or  as  a  Consultant  req'd. 
Prev.  exp.  must  include  Visual 
Basic,  SQL  Server,  Active  Server 
Pages.  40  hrs/wk,  9am-5pm, 
$62.000/year.  Applicants  must 
show  proof  of  legal  authority  to 
work  in  the  U.S.  Send  2  copies 
of  resume  &  cover  letterto  Illinois 
Dept,  of  Employment  Security, 
401  S.  State  St.-7  North,  Chicago, 
IL  60605.  Attn:  Leila  Jackson. 
Ref#  V-IL  24377-J.  Employer 
Paid  Ad.  No  calls. 


Sr.  Oracle  Production  Database 
Administrator  sought  by  Co. 
involved  in  development  of  content 
for  integrated  IT  learning  solutions 
in  Rochester,  NY.  Must  have  MS 
in  eng.  or  computer  discipline 
and  5  yrs  software  eng.  or 
development  exp.  Respond  to 
Lorrie  Carter,  HR  Dept.,  Element 
K,  500  Canal  View  Blvd, 
Rochester,  NY  14623,  e-mail  to 
oraclejobs@elementk.com,  or 
fax  to  (716)  295-9121. 


SOFTWARE  ENGINEER  to 
design,  develop,  test  and  imple¬ 
ment  application  software  in  a 
client/server  environment  using 
C,  C++,  Visual  C++,  PowerBuilder 
and  Oracle  on  Windows  NT  and 
Novell  platforms.  Require:  B.S. 
degree  in  Computer  Science/ 
Engineering,  or  a  closely  related 
field  with  five  years  of  progres¬ 
sively  responsible  experience  in 
the  job  offered  or  as  a  Programmer/ 
Systems  Analyst.  Extensive  travel 
on  assignments  to  various  client 
sites  within  the  U.S.  is  required. 
Competitive  salary  offered.  Send 
resume  to:  Sherry  D.  Lucki, 
President,  ABT  Solutions,  8517 
South  Park  Circle,  Suite  218, 
Orlando,  FL  32819;  Attn:  Job  JD. 


SEEKING  DATABASE 
CONSULTANT.  The  City  of 
New  York/Parks  &  Recre¬ 
ation  seeks  a  Database 
Consultant.  Bachelor’s 
Degree  in  Computer  Science, 
Engineering,  Business,  or 
related  field  &  background 
in  Oracle  and  MS  Access. 
Send  or  fax  resume  to 
M.  Brenner,  MIS  Director, 
CNYPR,  1 6  W.  61  st  St.,  9th 
Floor,  New  York,  NY  10023, 
Fax:212-830-7913. 


Headquartered  in  Reno,  Nevada, 
Five  Nine  Solutions  is  the  leader 
in  eTesting  for  eBusiness.  We 
currently  have  excellent  oppor¬ 
tunities  in  our  Reno  office  for: 

Project  Engineers 
Senior  Consultants 

We  offer  an  excellent  compen¬ 
sation  and  benefits  package.  To 
apply,  please  send  a  cover  letter 
and  resume  to: 

Five  Nine  Solutions,  Inc 
Attn:  Human  Resources 
9490  Gateway  Drive  #200 
Reno,  NV  8951 1 
Tel:  775  -  852-2995 
Fax:  775-852-1088 
Email:  info@fiveninesolutions.com 


BANKING/TECHNICAL 
CONSULTANTS: 
Corillian  Services,  Inc.  of  Los 
Angeles,  CA,  an  international  IT 
Consulting  company,  has  entry 
level  and  experienced  openings 
for  the  following  positions: 

-  Business  Analysts 

-  Programmers 

Please  send  resume  to:  gvarghese 
@  hatcherassociates.com 
Website: 

www.hatcherassociates.com 


B2B  Workforce,  Inc.,  a  consulting 
and  information  technology  com¬ 
pany,  is  looking  for  Consultants 
and  Senior  Consultants  with  3 
years  of  IT  industry  exp  plus  1 
year  of  Siebel  exp  for  work 
throughout  the  U.S.  Applicants 
must  have  Masters  degree. 
Competitive  salaries.  Please 
submit  resumes  to  Bob  Bailey  at 
rbailey  @  b2bworkforce.com 


Celltech  Systems,  Inc.  has  imme¬ 
diate  multiple  openings  for  exp’ed 
IT  professionals  in  the  following 
areas  (various  skills  combination 
reqd.)  Pro'C,  Unix,  Oracle  7.x. 
SQL'Forms,  C,  VB,  Developer 
2000,  SQL  Server,  DB-2UDB. 
Some  positions  require  MS  or 
equiv.  CS,  Engg,  Math,  Bus. 
Admin,  or  rel.  field  while  others 
require  BS  or  equiv.  as  above. 
Pay  commensurate  with  exp. 
Foreign  equiv  of  educ.  and/or 
combination  of  educ./exp  will  be 
accepted.  Travel/relocation  reqd. 
Resumes  &  salary  expectations 
to  HR,  6200  The  Corners  Pkwy, 
Suite  315,  Norcross,  GA  30092 


Experio  Solutions  has  openings 
for  the  following  positions: 

Enterprise  Technology  Solutions 
Sr.  Consultant  -  San  Jose 
Sr.  Consultant  -  San  Francisco 
Manager  -  San  Jose 
Manager  -  San  Francisco 

Customer  Relationship 
Management 
Sr.  Consultant  -  Boston 

Supply  Chain  Management 
Sr.  Consultant  -  Atlanta 

Please  send  resumes  to: 

HR  Department 
1717  Main  Street 
Suite  500 
Dallas,  TX  75201 


SOFTWARE  DVLPMT  ENG  Pro¬ 
gram  for  projects  in  video/ 
television  industry.  Design,  dvlp, 
maintain  video  software.  Bache¬ 
lor’s  Computer  Sci,  Eng.  or  equiv 
+  2  yrs  exp  in  job  or  as  Pro¬ 
grammer/Analyst.  Exp  w /  MS 
Visual  C++  &  MFC  in  Windows 
NT  reqd.  $63K/yr.  Send  resume 
to:  B.  Sisley,  Video  Technics,  One 
Corporate  Blvd,  #220,  Atlanta, 
GA  30329. 


Vision  Consulting  USA,  an 
e-business  and  technology 
company,  is  seeking  qualified 
candidates  for  the  position  of 
Database  Architect  Administrator. 
Qualified  candidates  should 
possess  a  Bachelor's  Degree  in 
Computer  Science,  Engineering 
or  a  related  field  and  relevant 
professional  experience,  including 
strong  database  design  and 
implementation  of  databases 
and  related  technologies.  Send 
Resume  to:  Sue  Ellen  Cooper- 
Jones,  Recruiting  Manager, 
Vision  Consulting  USA,  Inc.,  110 
East  42nd  Street,  Suite  615, 
New  York,  NY  10017. 


Sr.  Systems  Programmer-Install, 
analyze,  design,  test,  and 
document  new  and  existing 
operating  systems.  Using  an  IBM 
Mainframe  OS390,  Assembler, 
REXX,  CLIST,  CICS,  SMP/E, 
RACF,  TCP/IP,  LAN  and  WAN, 
Unix,  DFMSMS/HSM,  HCD/IOCP, 
COBOL.  BS  degree  in  Info  Tech, 
2  yrs  of  exp  or  2  yrs  training  with 
MVS/OS390.  On-call  24hr. 
$62,000.  Send  resume  to  South 
Dakota  One-Stop  Career  Center, 
Po  Box  5778,  Sioux  Falls,  SD 
57117-5778,  phone  605/367- 
5300,  fax  605/367-5308.  Ref. 
#SD0831536. 


Better  address? 

Better  compensation? 

Better  training? 


Better  get  in  here. 


where  the  best  get  better 
1-800-762-2977 


ENGINEERING 

informatica  Corporation,  a  grow¬ 
ing  high  tech  company  that 
produces  datamarts,  has 
openings  at  all  levels  for  SW 
Engineers,  SW/QA  Engineers. 
D-Base  Admin,  Prof.  Services 
Consultants,  Tech  Support  Engi¬ 
neers,  Openings  at  the  following 
locations:  Palo  Alto,  CA;  Los 
Angeles,  CA;  Piano,  TX;  Iselin, 
NJ;  New  York,  NY;  Washington 
D  C.;  Schaumberg,  IL;  Atlanta, 
GA;  Boston,  MA.  Send/email 
resumes  to:  Informatica,  Attn:  P. 
Saadieh,  3350  W.  Bayshore  Rd., 
Palo  Alto,  CA  94303;  email 
psaadieh@informatica.com. 
EOE 


Liquidxs.com  has  openings  for 
Senior  Programmer  Analyst 
positions  with  at  least  two  years 
of  experience  in  any  of  the 
following  skills:  Java,  Visual 
Basic,  COM/DCOM,  HTML, 
DHTML,  Oracle,  ActiveX,  SQL 
Server,  and  Windows  NT. 

Some  positions  require  a  Bach¬ 
elors  Degree,  others  Masters 
Degree.  Equivalent  degree  and 
experience  is  also  accepted. 
Exc.  Pay  &  Bnfts.  Mail  resume  to: 
ssatov@liquidxs.com 


Talent  is 
the  fuel  of 
the  new 
economy. 

Fill  up 
with 

ITcareers. 


ITcareers  and 
ITcareers.com 
can  pur  your 
message  in  front 
of  2/3  of  all  US 
IT  professionals. 

If  you  want  to 
make  hires, 
make  your  way 
into  our  pages. 
Call  Janis 
Crowley  at 
1-800-762-2977 


ITcareers 

where  the  beet 
get  better 
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Privacy 

mandates  “opt-in”  rules  —  re¬ 
quiring  that  companies  get  ex¬ 
plicit  permission  from  con¬ 
sumers  before  they  share  infor¬ 
mation  about  them,  said  Tower- 
Group  analyst  Christine  Pratt. 

In  preparation  for  the  July  1 
deadline,  some  large  financial 
services  firms  spent  millions 
of  dollars  on  customer  mail¬ 
ings  and  revamped  databases. 
They’re  also  required  to  prove 
that  their  security  systems  are 
robust  enough  to  prevent  the 
unauthorized  disclosure  of  pri¬ 
vate  information. 

Bank  One  Corp.  in  Chicago 
had  to  consolidate  more  than 


JUST  THE  FACTS 


It’s  the  Law 

The  Financial  Services 
Modernization  Act: 

m  Requires  an  opportunity  for  customers  to 
opt  out  of  sharing  personal  information 
with  nonaffiliated  third  parties 

■  Repeals  Glass-Steagall  Act  restrictions 
on  banks  affiliating  with  securities  firms 

■  Requires  a  clear  disclosure  by  all  financial 
institutions  of  their  privacy  policies 

40  databases  into  one  to  en¬ 
sure  that  privacy  could  be 
maintained  across  all  affiliated 
companies,  said  spokesman 
Stan  Lata.  The  total  cost  to  the 
bank  was  in  the  “tens  of  mil¬ 
lions  of  dollars,”  he  said. 

Providian  Financial  Corp.  re¬ 
cently  completed  the  compila¬ 
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tion  of  a  privacy  database  that 
contains  responses  from  mail¬ 
ings  to  17  million  customers. 

The  bank  spent  18  months 
and  “several  million  of  dollars” 
updating  and  consolidating  al¬ 
most  a  dozen  databases  and  up¬ 
dating  software,  Providian  offi¬ 
cials  said.  Now  the  challenge  is 
to  create  relational  databases 
that  will  automatically  track 
how  information  is  shared  and 
who  can  solicit  customers. 

Mark  Loewenthal,  chief  pri¬ 
vacy  officer  at  San  Francisco- 
based  Providian,  said  it  will 
take  months  to  “spec  out”  the 
project,  tying  up  “significant 
amounts  of  the  business  and 
systems  [department’s]  time.” 

Looming  larger  than  clear- 
cut  privacy  and  security  provi¬ 
sions  of  federal  law  is  a  push  in 


Congress  to  amend  the  federal 
legislation  with  a  tougher  set 
of  rules. 

Sen.  Paul  S.  Sarbanes  (D- 
Md.),  chairman  of  the  Senate 
Banking  Committee,  has  sub¬ 
mitted  a  bill  that  would  force 
financial  services  firms  to  give 
customers  an  opt-out  option 
even  when  seeking  to  share 
their  financial  information 
with  affiliated  firms. 

Sarbanes’  bill,  called  the  Fi¬ 
nancial  Information  Privacy 
Protection  Act  of  2001,  would 
also  require  an  opt-in  option 
for  consumers  when  compa¬ 
nies  share  some  types  of  sensi¬ 
tive  financial  or  medical  infor¬ 
mation  with  either  an  affiliated 
or  unaffiliated  third  party. 

According  to  Patrick  F.  Sulli¬ 
van,  vice  president  of  privacy 
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and  information  policy  at 
Waltham,  Mass.-based  security 
provider  Guardent  Inc.,  an  opt- 
in  policy  would  be  far  more  ex¬ 
pensive,  not  only  because  com¬ 
panies  would  have  more  infor¬ 
mation  to  protect,  but  also  be¬ 
cause  “you’ve  got  to  start 
building  your  marketing  lists 
all  over  again.” 

Moreover,  the  new  legisla¬ 
tion  doesn’t  limit  the  ability  of 
states  to  adopt  their  own,  more 
stringent  regulations. 

“The  more  variations  you 
get  from  states,  the  more  com¬ 
plex  it  is  for  business  to  try  to 
comply,”  Loewenthal  said.  I 

MOREONLINE 

For  Computerworlcf  s  complete  coverage  of 
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Continued  from  page  1 

Microsoft 

design  remains  to  be  deter¬ 
mined.  The  appeals  court  re¬ 
manded  the  case  on  June  28  to 
a  lower  court,  and  there  is  also 
the  prospect  of  a  settlement. 
But  the  appeals  court  decision, 
which  upheld  the  finding  that 
Microsoft  used  illegal  means 
to  maintain  its  monopoly  sta¬ 
tus,  raises  some  interesting 
possibilities  for  end  users. 

Testimony  by  one  large  end 
user,  Seattle-based  The  Boeing 
Co.,  played  a  key  role  in  the 
government’s  contention  that 
integration  hurt  consumer 
choice.  The  appeals  court 
ruled  that  Microsoft’s  com¬ 
mingling  of  Internet  Explorer 
code  with  the  operating  sys¬ 
tem  is  anticompetitive.  The 
court  said  that  “the  commin¬ 
gling  deters  OEMs  from  pre¬ 
installing  rival  browsers.” 

A  Boeing  official,  in  a  video¬ 
taped  deposition  and  in  docu¬ 
ments,  testified  in  1998  that  the 
aircraft  company  had  stan¬ 
dardized  on  Netscape  Com¬ 
munications  Corp.’s  browser 
but  said  the  integration  be¬ 
tween  Internet  Explorer  and 


the  operating  system  couldn’t 
be  disabled.  Supporting  two 
browsers  would  increase  costs, 
a  Boeing  official  said.  The  Boe¬ 
ing  official  who  testified  de¬ 
clined  to  comment. 

Legal  experts  say  the  con¬ 
cerns  raised  by  the  court  may 
ultimately  be  applied  to  media, 
instant  messaging  and  other 
applications  Microsoft  is  inte¬ 
grating  with  the  Windows  XP 
operating  system,  due  in  Octo¬ 
ber.  “It’s  not  beyond  the  pale 
that  they  might  have  to  compo- 
nentize  XP  to  some  extent,” 
said  Donald  Falk,  an  antitrust 
attorney  at  Mayer,  Brown  & 
Platt  in  Palo  Alto,  Calif. 

For  instance,  if  Microsoft  is 
ultimately  required  to  enable 
PC  makers  to  remove  some  ap¬ 
plications  from  the  operating 
system  or  add  others  to  it,  end 
users  may  find  it  possible  to 
purchase  a  Windows  system 
more  to  their  liking. 

Mitch  Blackburn,  vice  presi¬ 
dent  of  operations  at  rental  car 
firm  ANC  Rental  Corp.  in  Fort 
Lauderdale,  Fla.,  is  one  such 
end  user. 

Because  of  the  system  de¬ 
mands  of  the  Windows  operat¬ 
ing  system,  ANC  has  “to  buy  a 
pretty  large  workstation  with 
lots  of  memory,  fast  proces¬ 


sors,  lots  of  disk,”  said  Black¬ 
burn.  If  he  could  purchase  a 
“light”  version,  “that  would  be 
really  advantageous,”  he  said. 
ANC  currently  has  more  than 
12,000  workstations. 

But  end  users  also  said  it 
would  be  difficult  to  begin 
switching  to  non-Microsoft 
products. 

Amy  Courter,  vice  president 
of  IT  at  marketing  firm  Valas- 
sis  Communications  Inc.  in 
Livonia,  Mich.,  said  it’s  unlike¬ 
ly  the  company  would  move 
from  Internet  Explorer  to 
Netscape  because  the  compa¬ 
ny  hadn’t  completed  the  in¬ 
vestment,  training  and  testing. 
But  she  still  believes  that  a 
componentized  operating  sys¬ 
tem  would  be  beneficial.  Just 
“the  thought  of  competition 
sometimes  creates  better 
products,”  she  said. 

Even  if  PC  makers  gain  flexi¬ 
bility  in  swapping  out  a  Mi¬ 
crosoft  application  with  that  of 
another  vendor,  they  may 
“choose  not  to  take  it  because 
of  the  support  cost  issue,”  said 
Rob  Enderle,  an  analyst  at 

MOREONLINE 

For  Computerworld's  coverage  of  Micro¬ 
soft's  legal  issues,  click  to 

www.computerworld.com/mslegal 


Cambridge,  Mass.-based  Giga 
Information  Group  Inc.  “It  will 
typically  cost  them  more  to 
support  a  nonintegrated  offer¬ 
ing  than  an  integrated  offer¬ 
ing,”  he  said,  noting  that  IT 
managers  could  therefore  still 
be  left  with  few  options. 

Microsoft,  for  its  part,  insist¬ 
ed  the  decision  won’t  affect  its 
product  design. 


It’s  also  possible  that  the  ap¬ 
peals  court  decision  could 
prompt  lawsuits  from  rival 
vendors  challenging  Micro¬ 
soft’s  operating  system  design, 
said  Hillard  Sterling,  an  an¬ 
titrust  attorney  at  Gordon  & 
Glickson  LLC  in  Chicago.  “It’s 
going  to  take  a  long  legal  battle 
to  apply  these  restrictions  to 
XP  applications,”  he  said.  I 


Mettle  to  Settle? 

Microsoft  and  the  government  are  expected  to  make  a  third  at¬ 
tempt  at  a  settlement  before  the  case  returns  to  a  lower  court,  as 
ordered  by  the  U.S.  Court  of  Appeals,  for  a  new  hearing  on  reme¬ 
dies  and  the  tying  issue.  Possible  settlement  points: 

BREAKUP  Microsoft  is  adamantly  opposed  to  a  breakup. 
States  may  still  push  for  it,  but  a  conduct  remedy  was  dis¬ 
cussed  in  earlier  settlement  talks.  The  main  problem  with  a 
conduct  remedy,  say  critics,  is  the  necessary  ongoing  gov¬ 
ernment  oversight. 

PRICING  The  company  could  be  required  to  provide  uni¬ 
form  terms  for  Windows  operating  system  products  to  PC 
makers. 

APIs  The  government  is  likely  to  seek  guarantees  that 
application  programming  interfaces  are  made  available  to 
vendors  and  PC  makers  as  soon  as  they  are  in  use  by 
Microsoft’s  own  software  developers. 

START-UP  PC  makers  may  get  flexibility  in  the  applica¬ 
tions  they  can  offer  and  the  power  to  control  start-up 
screens. 
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FRANK  HAYES/FRANKLY  SPEAKING 

Big,  Ugly  Security 

NO  WONDER  WE  HAVE  security  problems.  For  decades, 
we’ve  treated  security  as  an  afterthought,  an  add-on,  a 
kludge.  First  we  design  the  business  system.  Then  we 
assemble  the  technology  and  build  the  applications 
and  string  the  wires.  And  then  —  because  it’s  a  check¬ 
off  item  we  have  to  complete  before  the  big  bosses  will  sign  off  on 
the  project  —  we  throw  in  some  security. 

That’s  how  we’ve  done  it  for  40  years,  since  the  days  when  IT  sys¬ 


tem  security  meant  adding  a  good  lock  on  the 
mainframe  room’s  door. 

It’s  still  that  way  today.  Now,  instead  of  a  lock, 
security  means  passwords  and  firewalls  and 
utilities  that  sound  the  alarm  when  they  detect 
unauthorized  probing  of  ports  or  access  to 
accounts. 

But  security  is  still  the  last  thing  we  cobble 
together  and  bolt  on.  And  as  a  result,  it’s  usually 
the  messiest,  ugliest,  most  user-unfriendly  part 
of  our  systems. 

Is  it  any  surprise  that  for  almost  everyone 
else  in  corporate  life,  our  cobbled-together, 
bolted-on  security  is  first  and  foremost  an  in¬ 
convenience,  an  irritation,  an  annoyance? 

Permissions,  virus  filters,  limited  data  access, 
digital  certificates,  encryption  and  piles  of  pass¬ 
words  —  they’re  all  pretty  much  the  same  to 
users.  They’re  a  pain.  They  chew  up  valuable 
time.  They  get  in  the  way. 

So  what  do  most  users  do  when  faced  with 
this  in-their-face,  time-and-effort-consuming 
security?  They  look  for  ways  around  it. 

They  thumbtack  lists  of  passwords  to  their 
cubicle  walls.  They  leave  their  PCs  on  when 
they’re  away  so  they  won’t  have  to  log  in  again. 
They  turn  off  filters,  turn  on  scripting  and  swap 
unauthorized  tricks  and  shortcuts  for  bypassing 
security. 

So,  of  course,  our  security  prob¬ 
lems  just  keep  getting  worse.  It’s 
not  just  crackers  and  spies  and  as¬ 
sorted  bad  guys  who  are  finding 
ways  around  our  security.  It’s  our 
users,  too. 

Sure,  they’re  wrong  to  undercut 
our  security  measures.  But  it’s  our 
own  fault. 

As  long  as  IT  people  treat  securi¬ 
ty  as  an  afterthought,  we’ll  keep  on 
building  systems  where  ugly,  inele¬ 
gant  security  gets  in  the  way.  And  if 
it’s  in  the  way,  users  will  fight  it, 
work  around  it,  undercut  it. 


frank  hayes,  Computer- 
world's  senior  news  colum¬ 
nist,  has  covered  IT  for  more 
than  20  years.  Contact  him  at 

frank.hayes@computerworld.com. 


The  best  solution  —  the  one  we  can’t  afford, 
of  course  —  would  be  to  rebuild  everything,  our 
entire  IT  infrastructure,  applications,  the  works, 
with  security  designed  and  built  into  it  down  to 
the  core. 

We’ll  need  that,  and  maybe  sooner  rather 
than  later.  With  supply  chains  and  B2B  and  Web 
commerce,  our  systems  are  more  exposed  than 
ever.  But  rebuilding  our  world  with  single  sign- 
on,  highly  secure  databases,  IP  Version  6  net¬ 
works,  smart-card  authentication  and  the  other 
technologies  required  will  take  time.  Learning 
to  use  them  effectively  will  take  longer.  Getting 
budget  approval  could  take  forever. 

But  we  don’t  have  to  wait  for  that.  We  can 
start  rethinking  security  today.  And  one  good 
place  to  begin  is  to  take  some  of  the  sting  out  of 
security  for  users. 

Maybe  we  can  get  rid  of  those  tacked-up  lists 
of  passwords  by  cutting  down  the  number  of 
different  passwords  we  assign  each  user.  If  we 
can’t  do  real  single  sign-on  today,  maybe  we  can 
whip  up  some  scripts  that  let  users  type  one 
password  once,  and  let  the  machine  do  the  rest 
of  the  work. 

Maybe  we  can  adjust  how  PCs  log  on  to  net¬ 
works  and  applications  when  they  start  up,  so 
users  won’t  be  so  tempted  to  leave  them  run¬ 
ning  unattended. 

Maybe  we  can  cut  down  on  unau¬ 
thorized  shortcuts  around  security 
by  building  some  secure  tunnels 
that  let  users  do  what  they  need 
easily,  without  compromising  secu¬ 
rity  or  breaking  our  rules. 

Yes,  those  are  more  security 
kludges.  But  at  least  they’re  elegant 
kludges  that  make  security  a  little 
less  obnoxious  and  a  little  more 
convenient  for  users. 

And  just  maybe  that  will  start  IT 
down  the  path  of  treating  security 
as  something  more  than  an  after¬ 
thought.  ► 


USER  TELLS  IT  pilot  fish  that 
Microsoft  Word  is  adding  extra 
text  to  her  documents.  Sure 
enough,  a  short  document  on 
her  screen  comes  out  of  the 
printer  with  extra  text  each  time. 
Reinstalling  the  software  doesn’t 
help.  Fish  checks  the  printer  and 
discovers  user  is  recycling  paper 
that’s  already  been  printed  on 
one  side  -  all  bearing  the  same 
text.  Solution:  blank  paper. 

ENGINEER  WANTS  a  particu¬ 
lar  new  application  to  be  in¬ 
stalled  on  one  of  the  company’s 
Windows  NT  4.0  servers.  We’re 
about  to  upgrade  to  Windows 
2000  -  is  this  software  compli¬ 
ant?  pilot  fish  asks.  “Just  be¬ 
cause  you  like  2000  doesn’t 
mean  we  have  to  go  to  it,”  engi¬ 
neer  snarls.  “Why  can’t  we  use 
NT  5  or  NT  6,  or  even  spend  the 
extra  for  NT  7?  Be  different,”  he 
tells  fish,  “and  stick  with  NT." 

AFTER  HOSPITAL  upgrades 
one  low-tech  doctor  from  a  ter¬ 
minal  to  a  PC,  IT  pilot  fish  gets  a 
call  from  his  secretary  asking  for 
a  larger  terminal.  “He  needs  it  for 
his  bulletin  board,"  she  explains. 
Fish  is  curious  -  the  hospital  has 
no  bulletin-board  system,  and 


Dr.  Pencil-and-Paper  isn  t  the 
type  to  set  one  up.  An  office  visit 
clears  it  up:  The  doc’s  PC  isn’t 
even  turned  on,  but  his  monitor 
is  covered  with  Post-it  Notes  - 
and  he's  run  out  of  space. 

SIGN  OF  THE  TIMES  Laser 
printer  at  a  nursing  home  gets  a 
paper  jam.  Pilot  fish  discovers 
the  problem  right  away:  a  stack 
of  continuous-feed  paper  stuck 
in  the  roller  slot.  “This  printer 
uses  single  sheets,”  fish  tells 
user.  “Yes,  I  know,"  she  says, 

“but  I  was  printing  a  banner." 

PILOT  FISH  is  trying  to  upgrade 
the  e-mail  system.  Users  are 
supposed  to  log  off  by  noon 
Friday,  but  at  2  p.m.,  some  are 
still  logged  on.  “No,  I’ve  been 
out  of  my  e-mail  since  noon,” 
swears  one  user.  OK,  says  fish, 
maybe  the  system  retained  your 
connection.  Can  you  reboot? 
“Sure,"  says  user,  “just  let  me 
finish  sending  this  e-mail.” 

Send  e-mail  my  way:  sharky® 
computerwoiTd.com.  You  get 

a  sharp  Shark  shirt  if  your  true 
tale  of  IT  life  sees  print  -  or  if  it 
shows  up  in  the  daily  feed  at 
computerworld.  com/sharky. 


The  5th  Wave 


Gee^ickavd,  you'll 
*fco  show  me  where  on 
the  toolbar  ijou  £ound  an  1 
icon  labeled  "Overkill". 


S  Rich  Tennant,  www.the5thwave.com 


More  than  280  million  individuals.  More  than  a 
billion  lines  of  data.  More  than  a  trillion  data 
elements.  We’re  talking  about  a  record  number 
of  records  -  even  for  the  U.S.  Census  Bureau. 
But  it’s  not  just  the  counting  that’s  important  in 
Census  2000.  It’s  also  the  accuracy.  That’s  what 
we  the  people  count  on  most.  So  we  can  know 
with  certainty  where  to  allocate  our  housing, 
services  and  government  funds.  Why  we  gain 
or  forfeit  our  Congressional  seats.  Who  makes 
up  our  nation’s  demographics.  To  review  the 
accuracy  of  records  from  Census  2000,  the  U.S. 
Census  Bureau  chose  SAS!  Why?  We'll  let  our 
record  speak  for  itself.  Call  800-727-0025  or 
stop  by  www.sas.com/census.  To  learn  more 
about  the  U.S.  Census,  visit  www.census.gov. 


T he  Power  to  Know, 


e- Intelligence 
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INDUSTRY  POSEURS  EXPOSED. 


DERNAUTS  DISCOVER 


WEB  SERVICES  THAT  ACTUALLV  WORK. 

*  IBM  SOFTWARE  WITNESSED  ENABLING  WEB  SERVICES.  * 


SILICON  VALLEY,  CA- 

A  landmark  discovery  was 
announced  that  may  well 
change  the  course  of  business. 
Web  services,  as  enabled  by 
IBM  software  and  seen  in 
action,  provide  companies  with 
new  ways  to  make  money  with¬ 
out  spending  it. 

A  lot  of  hype  surrounds 
Web  services,  which  contain 
incredible  promise.  Yet,  of  all 
the  people  talking  about  Web 
services,  IBM  has  the  software 
and  experience  to  deliver  on 
that  promise  today. 


IBM  SOFTWARE  SUPPORTS  OPEN  WEB  SERVICE 
STANDARDS:  UDDI,  SOAP.  WSDL.  XML. 


Web  services  utilize  industry  stan¬ 
dards  to  deploy  and  integrate  applications 
across  the  Internet,  intranets  and  extranets. 

IT'S  A  DIFFERENT  KIND 
OF  WORLD.  YOU  NEED  A 
DIFFERENT  KIND  OF  SOFTWARE. 

Web  services  make  it  easy  to  adapt 
systems  to  changing  business  needs.  Flexible 
applications  using  Web  services  can  now  he 
implemented  by  the  IBM  software  portfolio: 
WebSphere;  Lotus?  I)B2  and  Tivoli! 


TWO  PROGRAMMERS  FROM  A  PARALLEL  UNIVERSE  FOUND  THAT  IBM  SOFTWARE  CAN 
HELP  COMPANIES  UTILIZE  WEB  SERVICES  TODAY,  TO  INCREASE  THEIR  REVENUES. 


With  their  operations  enabled  by  Web 
services,  IT  managers  can  now  let  others 
access  and  use  their  company’s 
business  processes  as  easily  as 
people  download  Web  pages. 

The  benefits:  low  cost  of  devel¬ 
opment  and  wider  deployment 
of  applications,  increasing 
competitive  advantage. 

For  instance,  a  moving 


COOERNAUTS  LEARNED  MORE  ONLINE. 


company  facing  the  problem  of  keeping 
its  trucks  full  during  the  entire  cycle 
of  the  transport,  as  in  return  trips  during 
cross-country  moves,  can  now  utilize 
Web  services  enabled  by  IBM  software 
to  seamlessly  locate,  book  and  manage 
new  customers. 


Another  case  is  a  travel,  leisure 
and  entertainment  company.  The 
challenge?  Link  hundreds  of  appliea- 
tions  together  to  form  a  one-stop 
Web  portal  that  provides  relevant 
information  and  offerings  to  cus¬ 
tomers.  The  result?  Expanded 
services  at  dramatically  reduced 
costs. 

Presently,  there  are  a  number 
of  software 
vendors  trying 
to  sell  their 
proprietary 
technologies 
as  ways  to 
enable  Web 
services. 

Yet  IBM 

is  a  proven  provider  who  is  delivering 
a  truly  open  e-business  software 
environment  to  exploit  your  existing 
applications.  Today. 

Software  that  enables  Web 
services,  known  as  IBM  soft¬ 
ware,  was  discovered  by  two 
programmers  from  a  parallel 
universe.  “We  came  looking  for 
better  software,”  said  one.  “And 
this  is  definitely  it!’  For  case 
studies,  white  papers  and  an 
announcement  highlights  video,  visit  us  at 
ibm.com/webservices/today 


WEB  SERVICES  HELP 
APPLICATIONS  COMMUNICATE 
MORE  EFFECTIVELY. 


business  software 


